Encryption: Do it early, do it often, says data watchdog

At least one bit of the government still thinks that encryption is a good idea.
Written by Danny Palmer, Senior Writer
password encryption

The ICO has offered advice on encryption.

Image: Shutterstock

Organisations should consider encrypting data now, rather than later and risking the reputational and financial damage they'll suffer if unencrypted data is lost as a result of a breach.

That's according to new guidelines around encryption released by the UK data protection watchdog, the Information Commissioner's Office, which says despite the ease that encryption software can be used, companies often have no idea whether their data is encrypted or not.

This, the ICO says, is a risk, especially given numerous large data breaches at high profile organisations - such as TalkTalk and JD Wetherspoon - and vulnerabilities such as the recently discovered OpenSSL security hole dubbed Drown.

While encryption isn't a legal requirement, ICO senior technology officer Peter Brown writes in a blog post, organisations should be considering it as an 'appropriate' measure they can use to keep data safe, especially given the ease of which it can be applied.

"The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption, being a widely available technology with a relatively low cost of implementation, is one such measure," he says.

Brown also issues a reminder that the ICO has fined numerous organisations which have lost data, with significant penalties being paid by those which took no effort to encrypt data.

"The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur," he says.

The watchdog also reminds organisations that in addition to financial penalties, "data controllers risk significant damage to their reputation if they do not store personal data securely".

Additional information about encryption has been added to the ICO's website in a section dedicated to guidance for organisations, which details the basics about the technology and examples of when it should be used.

For example, it's recommended that employers should encrypt laptops, in order to "significantly reduce the chance of unauthorised or unlawful processing of the data in the event of loss or theft".

Nonetheless, despite the recommendations, the ICO warns that encryption isn't a cure-all panacea, because whilst it would be difficult to crack an encryption key, it isn't a totally impossible task, because as computing power increases, "the length of time taken to try a large number of keys will reduce so it is important to keep algorithms and key sizes under consideration".

Ultimately, the ICO says, while everyone's needs are different when it comes to need for encryption, it's one of the best ways to ensure that sensitive data is kept hidden and way to prevent organisations receiving a monetary penalty for bad data storage etiquette.

"Encryption doesn't have to be complicated or difficult and could help you avoid a fine. Don't wait until after a data breach to start using it," Brown said.

More on encryption

Editorial standards