Encrypt or face regulatory action
Published 19 April 2016
Encryption has become something of a hot topic recently as the battle between Apple and the FBI in the US Courts has been discussed across the world, highlighting the tension between the right to privacy and national security. Individuals' understanding of their rights, and consequently their expectations of privacy, are increasing, and companies that hold personal data should carefully consider the data they hold and the steps they take to protect it.
Data breaches are now daily occurrences, but in the initial aftermath of a breach, it is not uncommon for organisations of all shapes and sizes to confess that the data was not encrypted or that they simply do not know whether it was or not. Being able to emphatically declare the data was encrypted, meaning there is little chance of unauthorised access to that data, will result in happier customers, a happier regulator, and potentially lower penalties in the event of a breach.
Currently, the Data Protection Act 1998 ("DPA") does not require encryption, but the ICO strongly encourages its use and it is considered a mitigating factor when the ICO issues monetary penalties for breaches of the DPA. This month, the ICO did not mince its words, stating "where data breaches occur and encryption software has not been used to protect the data, regulatory action may be pursued."
Looking ahead, the GDPR, set to come into force in two years' time, specifically refers to encryption as a step (taken alongside other technical and organisational measures) that is indicative of an appropriate level of security and, interestingly, provides that it may not be necessary to notify a breach to the regulator or data subjects where the data is encrypted. Essentially, this provides an opportunity to avoid news of the breach leaking into the public domain, limiting damage to reputation caused by a breach.
So, if there wasn't enough reason to get on top of encryption before, there certainly is now. For organisations starting from nothing, the range of encryption options available can seem bamboozling.
However, help is out there. The ICO this month published a guide to encryption setting out the various types, methods of implementation, and various practical scenarios involving the processing of personal data. The ICO, while acknowledging that encryption should be used as one element of a wider data security program, is of the view that it expects to see it as standard – it is a widely available technology with a relatively low cost of implementation.
Currently, the DPA does not require encryption, but the ICO strongly encourages its use and it is considered a mitigating factor when the ICO issues monetary penalties for breaches of the DPA. This month, the ICO did not mince its words, stating "where data breaches occur and encryption software has not been used to protect the data, regulatory action may be pursued."
The European Data Protection Supervisor also published guidance this month on how to ensure a "secure and trustworthy digital environment". This highlighted the need for regular reviews of security controls in light of technology and market developments, to stay ahead of the cyber threat.
So, the overarching message to take home? Encrypt now, and review regularly. As the ICO stated in its blog this month: "don't wait until after a data breach to start using it".
Submitted by Helen Nuttall, Solicitor