I have been hearing and reading all sorts of interesting and potentially scary things about GDPR and the need for encryption of emails and back ups and so on and so forth. After reading as much as I could find about it on the ICO web site, I failed to find an answer to one key question:
Is encryption mandatory under GDPR emails and back ups and so on?
On Friday, last week, I called the ICO help desk and was given what I thought was a pretty definitive answer and below is my interpretation of the response that I was given
To the answer is encryption mandatory the answer is no. However, there is an ‘it depends’ element and that goes as follows. Under GDPR you are expected to take reasonable steps to protect the privacy of data that you hold for individuals. Just exactly what is reasonable depends on a number of circumstances.
If you are processing sensitive personal data such as religious or health matters, then I would suggest that encryption for the emailing of such data back to the data subject or on to other parties is probably appropriate. I note that many insurance portals use encryption to allow you to pass data through them.
If you are not processing sensitive personal data ( for example mortgage details) then encryption may not be necessary as long as you have the normal procedures and practices in place to prevent unauthorised access to your files or computer systems.
Normal procedures and practices would include password protection for computers, phones, tablets and laptops or any other communication device. Password protection is also appropriate for access to any specific systems that you use for processing personal data such as Trigold, Brain, The Key , any other or bespoke customer management systems that you might use. Physical security would include making sure that papers files and physical device computer back ups are held in locked cabinets and kept in secure offices or premises that are also lockable when unoccupied. Leaving a laptop in a car for example cannot be held secure even with password protection as nationwide found out a number of years ago under the existing Data Protection regulations. Equally taking a backup of you system and leaving it on a pen drive in a locked car or hanging up in the kitchen of a family member’s home cannot be considered reasonable steps to keep data that you hold, private.
Another aspect to consider is how material would the loss of data be. I was given the following example by the ICO help desk. If you were holding a list of names and addresses and payments for a club, you might keep that on paper in a locked drawer in a lockable office. That would be reasonable steps in normal circumstances. However, if you were holding a list of all MI5 agents operating in Russia, it might be more appropriate to keep that in a locked vault with an armed guard because the consequences of a breach of privacy would be more significant in the second case.
On this basis, then I think it might also be reasonable to argue that clients credit or debit card details should not be passed about by unencrypted emails, or rather, the full data required to access and use such cards should not be passed about in unencrypted emails.
Of course, the problem with encryption for emails is that you have to provide the recipient with a key to access the encrypted data. That provides an additional layer of complexity in the process and could prevent or discourage your clients from interacting with you as they should. In the extreme cases that could result in the client going elsewhere and finding a broker who wasn’t making it so difficult for them to transact with you.
No matter what actions you take, there is always going to be the risk that you will experience a breach of data privacy. If that occurs, the first thing that the ICO will look at is how serious your organisation was about data protection. Carrying out a Data Protection Risk Assessment on the firm annually or whenever you make a change to the way that you handle or process data, will provide evidence of your firms seriousness about data protection. This will be an important part of mitigation if you fall foul of the ICO for a privacy breach. I will be issuing an example of a DPRA for a ‘typical broker’ over the next couple of days to enable you to give thought to any potential concerns.
How does all this translate into an action?
If you are processing sensitive personal data then you are advised to encrypt. This includes religious and health matters, sexual orientation and the like. It does not technically include a clients financial circumstances despite the importance that we place on it. This may mean that some of your insurance data may need to be passed through encrypted portals or email systems.
You should not be passing client’s credit card or debit card details through unencrypted emails.
Most mortgage related data does not fall into sensitive personal data category ( although some questions for lifetime mortgages may well do) and so there is no requirement to encrypt either email or security back ups as long as you have taken appropriate measures to protect the privacy of the data that you hold. Appropriate measures in this context is set out in general terms the following paragraph although individual cases and circumstances may vary.
In all cases strong password protection for computers, laptops, mobiles, ipads and so on in order to prevent unauthorised access to your devices. Within applications, once again strong password protection to prevent unauthorised access to systems and the data held within them. Paper files when not in use kept in secure lockable cabinets or drawers that are locked when the office or premises is not attended. Lockable and secure premises that are locked when unattended. Security backups kept in a secure location and on secure devices.
To demonstrate that you take Data Protection seriously, it is advisable to undertake a Data Protection Risk Assessment at least annually or whenever you make a change to the way that you handle or process data. An example will be issued in the next couple of days.
