Search

How can we help?

Icon

Decrypting the ICO’s Draft Updated Guidance On Encryption

ICO Consultation and Draft Updated Guidance

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur. The Information Commissioner’s Office (“ICO”) recently published draft updated guidance on encryption, which it is consulting on. The consultation will remain open until the end of 24 June 2025.

The ICO has published two main updates:

  1. It has made appropriate use of the words “must”, “should” and “could” to help ensure clarity regarding the obligations of organisations in relation to encryption, and to uphold consistency with other guidance.
  2. It has updated the “encryption in practice” section of the encryption guidance to keep up with modern technology, and make clear that it expects all organisations to use Hypertext Transfer Protocol Secure (HTTPS).

Under the “About this guidance” section of the draft updated guidance, the ICO clarifies that “must” refers to legal requirements which organisations are bound by, whilst “should” refers to actions which the ICO expects organisations to take in order to effectively comply with the law (although not legal requirements in of themselves), and “could” refers to options and examples which organisations could consider to help them comply with the law and adhere to good data protection practices; such guidance helpfully provides clarity to organisations, so it is clear what their legal obligations are with regard to encryption.

What is Encryption?

The ICO states that: “Encryption is a process that uses a secret key to encode information, ensuring that only those with access to the key can read it. Decryption is the opposite – the secret key decodes the information and makes it useful again.” (Source: ICO Draft Updated Guidance On Encryption)

Many of us use some form of encryption every day; the passcodes many of us have set on our smartphones are a form of encryption, and websites accessed through a URL beginning with ‘https’ (such as the one you are visiting now) are protected by Hypertext Transfer Protocol Secure (HTTPS), which is a method for encrypting data traffic between a user and a website.

As part of encryption, readable words (‘plaintext’) may be converted into unreadable ‘ciphertext’ (this may appear as jumbled letters and numbers) using a key – a key is then needed to decrypt the ciphertext and convert it back into the plaintext.

Whilst the UK GDPR does not require all personal data held by an organisation to be encrypted, the ICO states: “…you should use encryption to protect personal information when:

  • it is in transit electronically (eg online);
  • you store it on computing devices like PCs, laptops, smartphones and tablets; and
  • you store it on removable media.” (Source: ICO Draft Updated Guidance On Encryption)
Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

Whilst the UK GDPR does not require all personal data held by an organisation to be encrypted.

Guidance on HTTPS

The draft updated guidance provides guidance on protecting data whilst it is in transit from one device to another.

Amongst other information, the ICO states: “If you provide a website, you should use HTTPS across all its pages.” It also states: “There is no longer a compelling argument for not implementing HTTPS across all pages of a website.” (Source: ICO Draft Updated Guidance On Encryption)

Organisations should therefore consider whether their websites are compatible with the draft updated guidance, and if not, should proactively look at taking appropriate action.

Clarkslegal

In the ever-evolving world of technology in which humans are processing personal data, we are, unfortunately, likely to see more data breaches occur, so it is becoming even more important to ensure that organisations adhere to robust data protection policies. Clarkslegal’s experienced data protection lawyers can provide valuable advice to help ensure that organisations don’t breach data protection laws; please don’t hesitate to get in touch!

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

About this article

Read, listen and watch our latest insights

art
  • 27 May 2025
  • Privacy and Data Protection

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.

art
  • 15 May 2025
  • Privacy and Data Protection

Ashley v HMRC – The High Court clarifies the scope of Data Subject Access Requests

DSARs are very rarely the subject of litigation, and they are even rarer in the High Court, so the case of Ashley v HMRC is a valuable decision for both data subjects and data controllers.

art
  • 29 April 2025
  • Privacy and Data Protection

Use of Personal Devices at Work: Why a Bring Your Own Device Policy is Essential

If you have employees who bring their own devices into the workplace and use said devices to deal with company data, you may want to consider a Bring Your Own Device (“BYOD”) policy.

art
  • 29 April 2025
  • Privacy and Data Protection

Update on the Data (Use and Access) Bill

We will highlight in this article what changes have been made to the DUAB since the early stages of the Bill.

art
  • 07 April 2025
  • Privacy and Data Protection

Can an employer monitor employees at work?

Can an employer lawfully monitor their employee, without their knowledge, if they suspect wrongdoing?