Encryption and Data Security Obligations
The UK GDPR requires you to keep personal data secure using 'appropriate technical and organisational measures'. Encryption is one of the most effective and widely expected of these measures.
This is general guidance on meeting your security duties.
Encryption in Two Places
- In transit: HTTPS/TLS protects data moving between browser and server.
- At rest: encrypted databases and disks protect stored data if a device is stolen.
Beyond Encryption
Security is more than encryption. Strong passwords, two-factor authentication, timely patching, least-privilege access and regular backups all form part of appropriate measures.
Proportionate to the Risk
The law expects measures that match the sensitivity of the data and the harm a breach could cause. Higher-risk data justifies stronger, layered protection. A simple mailing list does not warrant the same controls as a database of health records, so focus your effort where the potential harm is greatest.
Showing You Took Care
If a breach ever occurs, the ICO will look at whether your measures were reasonable. Documenting your security decisions, reviewing them regularly and acting on known weaknesses all help demonstrate that you took your obligations seriously.
Frequently Asked Questions
Is HTTPS enough on its own?
It is essential but not sufficient. It protects data in transit, but you still need to secure stored data and control access.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.