Encryption under scrutiny: what the ICO’s new guidance means for your business

The question

What is the ICO's current thinking around encryption practices where organisations are subject to the UK GDPR?

The key takeaway

The Information Commissioner's Office (ICO) has been consulting on guidance around encryption, meaning that this is a key focus area for the UK regulator. Businesses must ensure their encryption practices are risk-based, up to date with industry standards, and supported by robust key management. The ICO's draft guidance states that encryption alone is not enough to protect personal data. To comply with the guidance, organisations must demonstrate that the level and type of encryption undertaken is appropriate for their data processing activities and regularly review it to stay compliant.

The background

The ICO initiated a consultation on its draft updated guidance concerning encryption practices for organisations that are subject to the UK GDPR.

This consultation, which commenced on 13 May 2025 and concluded on 24 June 2025, invited stakeholders to provide feedback on the ICO's suggested updates. With this refreshed guidance, the ICO is aiming to provide clearer, more practical advice that reflects current technology, supports GDPR compliance, and helps organisations manage data security risks effectively.

The development

The draft guidance underscores the importance of encryption as a critical technical measure for ensuring the security of personal data. While not a mandatory measure, encryption is highlighted as an example of an appropriate safeguard under Article 32 UK GDPR, provided that this is proportionate considering the nature, scope, context and purposes of the data processing activities. The ICO emphasises that encryption should be considered alongside other security measures, such as access controls and regular security audits, to provide a comprehensive approach to data protection.

In its updated guidance, the ICO provides detailed recommendations on implementing encryption effectively. These include selecting robust encryption algorithms, ensuring secure key management practices, and regularly reviewing encryption standards to adapt to technological advancements. The guidance also outlines various scenarios where encryption is applicable, such as protecting data stored on mobile devices, securing data in transit, and safeguarding data backups. By adopting these practices, organisations can enhance their compliance with the UK GDPR's security requirements and mitigate the risks associated with unauthorised access to personal data.

The ICO also provides practical scenarios and examples around the use of encryption, including real-world use cases such as protecting personal data in email communications and securing backups to the cloud. It also highlights the role of technical encryption standards and the need for ongoing review of encryption practices to adapt to new vulnerabilities.

Why is this important?

The ICO’s updated guidance on encryption signals a stronger regulatory emphasis on this type of proactive data protection, aligning with broader UK trends toward accountability and risk-based compliance under the UK GDPR. This development reinforces the expectation that organisations must justify their security choices, particularly when handling sensitive data. It complements wider moves, such as the developing Data (Use and Access) Act, which seeks to modernise the UK’s data protection framework. Collectively, these shifts highlight a trend toward more granular, technically informed guidance that supports enforcement and reduces ambiguity around data security obligations.

Any practical tips?

The ICO’s updated encryption guidance reinforces the need for organisations that process personal data to maintain high technical standards and transparent security practices. Organisations may already employ robust encryption techniques, but the draft guidance is likely to prompt further review of their UK operations to ensure compliance with evolving expectations. The emphasis on risk-based decision-making and accountability aligns with increasing global scrutiny of Big Tech’s data handling practices.