Understanding the ICO’s Encryption Guidance under UK GDPR

The United Kingdom’s Information Commissioner’s Office (ICO) has released detailed guidance on the use of encryption under the UK GDPR. This guidance is a part of the ICO’s wider information-security programme and is designed to help organisations use encryption effectively to safeguard personal information.

This article outlines the key points of the ICO’s guidance on encryption and its role within an organisation’s overall security framework.

What Is Encryption?

The ICO defines encryption as “a process that uses a secret key to encode information, ensuring that only those with access to the key can read it.” In practice, encryption transforms readable information (plaintext) into an unreadable format (ciphertext). Decryption reverses the process, restoring the information to its original form when the correct key is used.

The ICO recognizes the resiliency of modern encryption methods, stating that properly implemented modern encryption can resist brute-force guessing for impractically long periods (potentially millions of years, depending on key type and available computing power). This is why encryption is widely recognised as one of the most reliable safeguards against unauthorised access to personal data.

What Does the UK GDPR Say About Encryption?

The UK GDPR requires organisations to protect personal data with appropriate technical and organisational measures (also known as TOMs). Encryption is specifically cited in Article 32 as an example of such a measure.

The ICO stresses that encryption is not mandated in every circumstance, nor does the UK demand it as such. Instead, it should be applied based on risk, taking into account the sensitivity of the data, potential harm to individuals, available technology, and proportionality of cost.

That being said, the ICO’s guide very succinctly surmised that for most day-to-day scenarios such as sending data across the internet, storing it on devices, or holding it on removable media, encryption is an expected safeguard. For example, the ICO expects all websites to implement HTTPS across every page, not only on login or payment screens.

When Should an Organisation Use Encryption?

According to the ICO, there are several common scenarios where encryption should be routine:

• During transmission, i.e. whenever data is sent electronically, whether by email, web form, or network transfer, it should be encrypted in transit.
• During storage, i.e. computers, servers, laptops, and smartphones holding personal data should use encryption at rest.
• When using portable media; removable storage such as USB sticks or external drives should be encrypted, as these are particularly vulnerable to loss or theft.

Types of Encryption: Symmetric and Asymmetric

The ICO distinguishes between two primary forms of encryption:

• Symmetric encryption, wherein the same key is used to both encrypt and decrypt the data. The ICO notes that this method is fast and effective but requires secure key-sharing practices.
• Asymmetric encryption, involving a pair of keys, one public and one private. The public key encrypts the data, but only the private key can decrypt it. Asymmetric encryption underpins secure technologies like HTTPS and secure email, often used in combination with symmetric methods for efficiency.

How Do We Decide When Encryption Is Important?

The ICO frames encryption as a risk-based decision within a defence-in-depth approach to security. It lays down the following steps which organizations must keep in mind when deciding on encryption:

• Carry out a risk assessment, ideally within a data protection impact assessment (DPIA), to evaluate the value, sensitivity, and confidentiality of the personal data the organisation processes;
• Consider the purpose and context of processing, risks to individuals’ rights, state-of-the-art technologies, costs, and the scale of the organisation’s systems and staff access;
• Put in place a policy governing the use of encryption; and
• Use encryption alongside other controls such as access restrictions, secure configuration, backups, and key management.

The ICO reminds organizations that while encryption reduces risk, it does not eliminate it. Keys can be lost, misused, or compromised. Finally, encrypted data still remains personal data under UK data protection law if it relates to an identifiable person.

ICO’s Recommendations for Encryption in Storage

The ICO strongly advises encrypting all personal data stored on laptops, smartphones, tablets, USB drives, servers, and backup media. Full-disk encryption is highlighted as an essential control and the ICO notes that most operating systems now include this functionality, which encrypts all device data and unlocks it only when a password is entered.

To ensure storage encryption is effective, the ICO recommends:

• Using complex, sufficiently long passcodes.
• Avoiding password storage near the device itself.
• Choosing alphanumeric codes rather than numeric-only ones.
• Treating removable media as high risk and encrypting by default.

Failing to encrypt data has led to serious breaches and enforcement action in the past. Conversely, enabling encryption significantly reduces risks to individuals, reputational harm, and regulatory penalties. In the ICO’s words, encryption for stored data is a baseline expectation.

ICO’s Recommendations for Encryption in Transit

The ICO also advises encrypting personal data whenever it is transmitted, whether over the internet, Wi-Fi, or wired networks. Encryption in transit prevents interception and eavesdropping by third parties.

For web services and other networked transfers, the ICO recommends to:

• Use HTTPS across all pages of websites, not just login or checkout screens.
• Avoid outdated protocols such as SSL and TLS versions 1.0 and 1.1. The ICO stresses that only TLS 1.2 and TLS 1.3 are considered secure.
• Use other secure methods such as TLS or VPNs where appropriate and test implementations regularly with recognised tools.

The ICO cautions that transit encryption protects data only while it is moving. Once it arrives at its destination, it must also be protected in storage. Organisations should therefore treat encryption in transit as one part of a wider strategy.

The ICO’s Recommendations on Choosing and Managing Encryption

The ICO stresses that effective encryption depends not just on using it, but on choosing and managing it correctly. Organisations must keep in mind the following:

• Using proven standards like the Advanced Encryption Standard (AES) with strong key lengths (e.g. 256-bit) and not creating their own cryptography.
• Selecting reputable software, especially certified solutions. Poorly designed or untested software can compromise encryption, even with good algorithms.
• Managing keys securely, i.e. by keeping them secret, rotating them regularly, revoking compromised keys, and avoiding weak passwords. The ICO also advises having in place a plan for recovery if keys are lost.
• To fulfill obligations under the UK GDPR, organisations should test and evaluate their security measures. This involves maintaining a cryptographic inventory, monitoring for vulnerabilities, and being ready to switch methods if a standard becomes unsafe.

Including Encryption as Part of a Broader Security Strategy

The ICO emphasizes that encryption must sit within a layered security approach. Alongside encryption, organisations should:

• Enforce access controls and strong authentication;
• Keep systems updated and avoid deprecated protocols;
• Use additional measures such as firewalls, VPNs, integrity checks, and monitoring systems;
• Train staff to use encryption correctly and to avoid unsafe practices (like emailing unencrypted files or writing down passwords); and
• Embed encryption at the design stage of new systems to meet GDPR’s “data protection by design and by default” requirement.

Conclusion

The ICO’s encryption guidance under UK GDPR makes one point very clear: encryption is no longer optional. It is a widely available, cost-effective tool that should be routinely applied when storing or transmitting personal data.

By choosing trusted methods, managing keys securely, and embedding encryption within a wider security strategy, organisations can not only comply with the law but also protect individuals from harm, strengthen trust, and reduce their own regulatory and reputational risks.