Encryption

Encryption is a technique that transforms data into a form that can only be read by those who hold the correct encryption key. It is one of the most effective security measures against data breaches and is explicitly mentioned in GDPR Article 32 as an example of an appropriate technical measure.

Back to Dictionary

What is encryption?

Encryption is the process of transforming data (plaintext) into an unreadable form (ciphertext) using an algorithm and a cryptographic key. Only the holder of the correct key can decrypt and read the original data. Even if an attacker gains access to the encrypted data, it is useless without the key.

Encryption is a fundamental part of modern information security and is used everywhere: HTTPS on websites, email encryption, full disk encryption on laptops, and encryption of databases and backups.

Encryption at rest and in transit

There are typically two types of encryption:

Encryption at rest: Data is encrypted whilst stored on disk, in a database or in cloud storage. This protects against physical theft or unauthorised server access.
Encryption in transit: Data is encrypted whilst being transported over the network. This is typically implemented via HTTPS/TLS, VPN or encrypted communication protocols.

Best practice is to have encryption at both levels. Data that is only encrypted in transit is vulnerable when stored unencrypted on disk, and vice versa.

GDPR and encryption

GDPR Article 32(1)(a) mentions encryption as an example of an appropriate technical security measure. Encryption is not unconditionally required, but when handling sensitive personal data, transfers to third countries and storage of large data volumes, it will in most cases be necessary to meet the requirement of appropriate security.

A data breach that solely involves encrypted data is typically not subject to notification to the supervisory authority, as the risk to data subjects is minimal.

Key management: Strong encryption is only as secure as the key management. Encryption keys must be stored separately from the data they encrypt, rotated regularly, and access to them must be controlled and logged.

Encryption algorithms

The most widely used and recommended encryption algorithms today are: AES-256 for symmetric encryption (e.g. full disk encryption), RSA and ECC for asymmetric encryption (e.g. key exchange), and TLS 1.3 for encrypted communication connections. Algorithms such as DES and 3DES are considered obsolete and should be avoided.

Frequently Asked Questions about Encryption

Does the GDPR require encryption?

The GDPR explicitly mentions encryption as an example of an appropriate security measure in Article 32(1)(a). It is not an absolute requirement in all cases, but in many contexts it will be expected and necessary to fulfil the requirement of appropriate security.

What is the difference between encryption at rest and in transit?

Encryption at rest protects data stored on disk, such as in a database or on a laptop. Encryption in transit protects data whilst it is being transferred over the network, for example via HTTPS or TLS.

Which encryption algorithms are recommended?

AES-256 is recommended for symmetric encryption, RSA and ECC for asymmetric encryption, and TLS 1.3 for encrypted communications. Algorithms such as DES and 3DES are considered obsolete and should be avoided.

Why is key management important for encryption?

Encryption is only as secure as the key management. If encryption keys are stored alongside the encrypted data or are not rotated, an attacker who gains access to the keys can decrypt all the data. Keys should be stored separately, rotated regularly and access should be logged.

Can encryption reduce obligations after a data breach?

Yes. A breach involving only encrypted data is typically not notifiable to the supervisory authority, as the risk to data subjects is minimal when the data cannot be read without the key.