With growing digital threats and increasing amounts of personal data being processed, encryption has become a vital element of data security. This article explores the latest recommendations of the Information Commissioner’s Office (ICO), outlining how encryption works, when it should be used, and how organisations can implement it effectively.
The importance of encryption under the UK GDPR
In May 2025, the ICO released updated encryption guidance aimed at helping organisations navigate their obligations under the UK General Data Protection Regulation (UK GDPR).
Articles 5(1)(f) and 32 of the UK GDPR stress the need to process personal data securely. Encryption is specifically recommended as a means of protecting that data. However, it is not mandatory in all cases. Instead, organisations are encouraged to assess its suitability by considering the nature of the risks involved, the cost of implementation, and the current state of technological advancement, often referred to as the “state of the art.”
How encryption works
Encryption transforms readable data into an unreadable format using a cryptographic key. Without the corresponding decryption key, the information remains inaccessible. There are two main types of encryptions: symmetric and asymmetric:
- Symmetric encryption uses the same key to both encrypt and decrypt data, requiring secure sharing of that key between parties.
- Asymmetric encryption, by contrast, uses a public key for encryption and a private key for decryption, making it especially useful for secure communication between users who have not previously exchanged a shared key.
A key benefit of encryption is its resistance to brute force attacks, where an attacker attempts to guess the correct decryption key. With strong encryption algorithms and sufficient key length, such attacks become practically impossible within a reasonable time frame.
Understanding the “state of the art”
Evaluating the effectiveness of encryption means understanding the current “state of the art.” This refers to how up-to-date, secure, and reliable technology is. A state-of-the-art encryption solution should be widely adopted, adhere to well-recognised technical standards such as FIPS 140-3 or FIPS 197, and ideally hold certification from trusted authorities. The UK’s National Cyber Security Centre (NCSC), for example, offers product certification through its CAPS scheme.
Cost is also an important factor. Fortunately, many effective encryption tools are affordable or even free to use, especially for common applications like securing emails, devices, web traffic, and portable storage.
Applying encryption in different contexts
Encryption can be applied at various stages of data handling. One common use is to protect stored data. Whether it’s on servers, laptops, mobile phones, or backup systems, encrypted storage ensures that even if the device is lost or stolen, the data remains protected.
Encryption also plays a critical role in securing data in transit. When information travels across the internet, such as during email exchanges or when submitting data through a website, encryption prevents unauthorised users from intercepting and reading the content. HTTPS, which is built on Transport Layer Security (TLS), is a widely used protocol that ensures web traffic is encrypted.
Processing encrypted data is another evolving area. Traditionally, encrypted data had to be decrypted before it could be used. However, advancements now allow certain types of processing to occur while data remains encrypted, offering security without sacrificing functionality.
Implementing full disk encryption
Full disk encryption protects all data stored on a device. Although the ICO does not endorse specific tools, the focus should be on preventing unauthorised access if a device is lost or stolen. Mobile devices are especially vulnerable. In the absence of encryption, the exposure of personal data can lead to identity theft, fraud, and other serious consequences. Reputational damage and regulatory penalties can also follow.
A past example illustrates the risk: In 2013, Glasgow City Council was fined £150,000 for losing two unencrypted laptops. One of them contained the personal information of more than 20,000 people.
Today, most operating systems offer full disk encryption as a built-in feature. Organisations should evaluate whether enabling this feature is appropriate for their needs.
Encrypting data in transit with HTTPS
HTTPS is a widely used protocol that encrypts data as it travels between a user’s browser and a website. It ensures that personal information such as passwords or payment details cannot be intercepted during transmission. HTTPS relies on TLS, which replaced the older and less secure SSL protocol. All versions of SSL and older TLS versions (1.0 and 1.1) are now deprecated and should not be used.
Current best practice is to use TLS 1.2 or preferably TLS 1.3, which offers better performance and security. Proper configuration is essential, as using weak protocols or cipher suites can compromise the protection HTTPS provides.
Encrypted email for secure communication
When assessing the security of email communication, it is important to understand the distinction between standard encryption methods such as TLS and end-to-end encryption (E2EE), even though ICO guidance does not explicitly outline this difference.
Standard email encryption typically uses TLS, which secures the message only while it is in transit, for example, between your device and the mail server, or between mail servers. However, once the message reaches the server, it is decrypted. This means the email service provider, or any intermediary with access to the server, may still be able to read the content.
In contrast, E2EE encrypts the message on the sender’s device and ensures that only the intended recipient using their private decryption key can read it. At no point during transmission or storage can the content be accessed by third parties, including service providers. This provides a much higher level of confidentiality.
Technologies such as OpenPGP and S/MIME implement E2EE by encrypting both the message body and its attachments. For example, S/MIME allows users to digitally sign and encrypt emails so that only the intended recipient can decrypt the content using their private key. This ensures that the message remains confidential and unaltered throughout its journey.
However, E2EE does come with certain risks, most notably, the potential loss of private keys, which can make it impossible to decrypt received messages. As a result, organisations must have robust key management procedures in place. In cases where full E2EE is not practical, an alternative approach may be to transmit sensitive content via encrypted attachments, which can still offer a degree of protection even over less secure email channels.
Encryption does not eliminate all risks
Despite its strength, encryption is not foolproof. It reduces the risk of data exposure but does not remove it entirely. Organisations must consider potential residual risks and implement encryption alongside other security measures. Key management is especially critical. Losing a decryption key can result in permanent data loss, which could be classified as a personal data breach. If important files become inaccessible such as financial records or personal photos, the consequences can be severe for the affected individuals.
In the event of a breach, properly encrypted data may reduce the obligation to notify individuals, as the information would be unreadable to unauthorised parties. However, organisations are still required to report breaches to the ICO if availability or access to personal data is affected.
Conclusion
The ICO’s updated encryption guidance reinforces the importance of encryption as a core component of data protection. While it is not a one-size-fits-all solution, encryption when implemented thoughtfully and supported by effective policies can significantly strengthen an organisation’s data security posture. By understanding its applications, limitations, and best practices, organisations can meet their legal obligations, protect personal data, and maintain public trust in an increasingly digital world.
