There have been numerous incidents where personal data has been stolen, lost or subject to unauthorised access. In many of these cases, these were caused by data being inadequately protected or the devices holding the data being left in insecure or inappropriate places.
The General Data Protection Regulations (GDPR) suggests that businesses must design and organise their security to fit the nature of the personal data they hold and the harm that may result from a security breach. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued. Organisations should consider encryption alongside a range of other technical and organisational security measures.
When processing data, there are a number of areas that can benefit from the use of encryption. The benefits and risks of using encryption at these different points in the life-cycle should be assessed carefully. The success of encryption mainly depends on:
Organisations should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted.
Using encryption appropriately is very important for data protection. This is the time when the business and technology experts need to work together to define an encryption policy that addresses their industry and sector specific data protection needs and also will comply with the upcoming GDPR.