Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).
Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:
- The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
- The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
- The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
- The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.
The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.