Press "Enter" to skip to content

The ICO advise on email encryption requirement

Encryption for email required under new data protection rules

The ICO have reminded businesses that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

What is encryption?

Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information.

In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.


Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.

For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format.

Data controllers should also be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data.

Who are the ICO?

The ICO is the UK’s independent body set up to uphold information rights. The ICO’s role is to uphold information rights in the public interest.

Read more about this recommendation here:

If you would like to discuss how to become compliant with new data protection legislation, coming in May 2018 Contact Frama for a no obligation audit of your current email security process.

*Source Information Commissioner’s Office

Business Info Magazine & Site is Published by Kingswood Media 2022