Using encryption of personal data, companies can reduce the probability of a data failure, and therefore also fines, in the future. The processing of personal data is naturally associated with a certain degree of risk. Especially these days, cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security. Data encryption is therefore suited, among other means, for these companies.
In general, one understands encryption as a procedure that converts clear text into a hashed code using a key, as that the outgoing information can only become readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who don’t have the correct key. Encryption is the best means to protect data during transfer, and a way to secure stored personal data. This reduces the abuse risk within a company, as access is limited only to authorised people with the right key.
The regulation also recognises risks when processing personal data and places the responsibility on the responsible parties in Art. 32 (1) of the General Data Protection Regulation to use suitable technical and organisational measures to secure personal data. One must consider the state of the art, implementation costs and the type, scope, circumstances and purpose of the processing. In addition to these criteria, various access probabilities and the severity of the risks to the rights and freedoms of those impacted must be considered. One must adjust the degree of the security measures taken because of the above consideration. Encryption is therefore explicitly mentioned as such a measure in the list of Art. 32(1) of the GDPR, which is not exhaustive.
Encryption of personal data has additional benefits for responsible parties and/or order processors. So, if one loses a mobile medium on which data are encrypted using state of the art methods need not be reported, as a rule. In addition, the authorities must positively consider the use of encryption in their decision on whether and to what level a sanction is assessed as per Art. 83, para. 2 let. C of the GDPR.