Encryption is not a strict legal requirement: The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption is one such measure.

In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures. 

The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties issued by the ICO since 2010 relate to the failure to use encryption correctly as a technical security measure.


This article is intended for informational purposes only and should not be relied upon as legal advice.

PS: While you’re here, why not take out DP Test?

To contact DataHelp email robert.wassall@datahelp.co.uk or call 07902 395989