The Information Commissioner’s Office (ICO) has published a consultation on draft updated guidance on encryption.

Similar to the recently-published consultation on anonymisation and pseudonymisation (on which we commented here), the draft guidance on encryption is comprehensive and is aimed at data protection officers within organisations, as well as those who have specific responsibilities to implement encryption.

The draft guidance provides helpful explanations of the two different types of encryption (symmetric and asymmetric), as well as detailed guidance on how UK data protection law applies to encryption. As the ICO points out, the UK GDPR does not require its use, but encryption is provided as an example of a technical measure that can ensure that personal data is processed securely. However, the Guidance reminds organisations that encryption does not remove risks entirely, and provides assistance on how to balance its possible benefits against any residual risks.

Where the guidance is particularly helpful is the extensive use of examples so that organisations can understand how encryption works, where it might be beneficial to them, and how they can implement it. It is also accompanied by a raft of scenarios that provide even greater assistance for those organisations considering its implementation.

The consultation welcomes any feedback on the draft guidance and is open until 24 June 2025. To read the draft guidance in full, click here.