Encryption: Should I Encrypt My Data?

What is encryption?

Encryption means converting data into an unreadable code. Only someone with the correct key can make the data readable again. Think of it as a safe: the contents are still there, but without the code you can’t access them.

The GDPR mentions encryption in Article 32 as one of the recommended measures to protect personal data. That makes it one of the few technical measures the law explicitly names.

When is encryption needed?

Article 32 requires you to take “appropriate technical and organisational measures”, considering the state of the art, costs, and risk. Encryption is not mandatory in every situation, but in the following scenarios it is virtually unavoidable:

• Laptops and mobile devices used outside the office
• USB sticks and external hard drives with personal data
• Sensitive data such as medical information, financial data, or national ID numbers
• Data sent over the internet (forms, emails)
• Backups stored offsite

Three practical steps for your business

1. Full disk encryption on all laptops

This is the easiest and most impactful step. Enable full disk encryption on every laptop and desktop that processes personal data.

• Windows: BitLocker (built into Windows Pro and Enterprise)
• Mac: FileVault (built into macOS)
• Linux: LUKS

It costs you nothing extra, barely slows your computer, and protects you in case of theft or loss. If a laptop with disk encryption enabled is stolen, the thief cannot access the data.

2. TLS on your website

If your website contains forms where visitors enter personal data - contact forms, registration forms, order forms - then the traffic must be encrypted with TLS (recognisable by the padlock and “https” in the address bar).

Most hosting providers offer free TLS certificates via Let’s Encrypt. There is no reason not to do this anymore.

3. Encrypted email for sensitive data

Do you send medical data, financial information, or copies of ID documents by email? Regular email is not encrypted - comparable to a postcard that anyone can read along the way.

Options:

• Use a secure messaging portal (many accounting and healthcare platforms offer this)
• Encrypt attachments with a password and share the password via a different channel
• Use S/MIME or PGP if your organisation is ready for it

The big advantage: less reporting obligation for data breaches

This is where encryption gets really interesting for business owners. If personal data is stolen or lost, you normally need to report a data breach to the supervisory authority and possibly to the data subjects.

But if the data was properly encrypted and the key was not leaked, there is no real risk to the data subjects. The data is unreadable. In that case, the supervisory authority will usually rule that notification is not required.

A stolen laptop with BitLocker enabled? Document it in your breach register, but chances are you don’t need to report it. The same laptop without encryption? Then you have a reportable breach with all the consequences.

Common mistakes

• Enabling encryption but not managing the key properly. If you stick the recovery key on a post-it on the laptop, you’ve achieved nothing
• Only encrypting the hard drive, forgetting USB sticks. That one USB stick with the customer database left on the train
• Thinking a password on an Excel file is “encryption”. It’s not - that protection is easy to crack
• Running your website on http. There is no excuse anymore for a website without TLS

Start today

Encryption doesn’t have to be complicated. Start by enabling disk encryption on all laptops. It takes half an hour per device and immediately protects you against one of the most common data breach scenarios.