GDPR: Encryption is NOT Mandatory!

GDPR Snake Oil

Warning: Rant alert…

Author Gary Hibberd

Like many in the Information Security/Cyber Security world at the moment I’m VERY excited about the new General Data Protection Regulations (GDPR) which come into force on May 25th, 2018. The changes are significant and have an impact on every EU (and therefore UK) citizen.

This short post isn’t going to explore the multitude of changes, and it’s not going to talk about the hefty fines headed your way if you get it wrong… No. This post is to respectfully ask people who are selling/providing solutions to ‘ensure'(?) compliance to the standard to simply do the following two things.

1. Read the Regulations!

The new regulations are a good thing. It’s only 261 pages and it’s actually a good read! If you’re in the market to sell services that help people be better prepared for the Regulations, then the least you can do is read the Regulations and make an effort to understand them!

You honestly don’t need to be a ‘legal eagle’ to understand what the regulations are doing. You MAY (at a push) need to seek some clarification on how to interpret some of the clauses to address a specific operational issue, but you won’t need to go to ‘the Bar’ to understand key aspects of the regulations.

2. Stop trying to sell ‘Snake Oil’

What’s the problem? I’ve heard on several occasions how ‘Employing Encryption will ensure you are compliant to GDPR’. I’ve even heard of people quoting percentages – “Encrypt your data and you’ll be 70% compliant.” Oh Really? And do you perchance know of someone selling said tools? Oh! That would be you?!

Dispelling the Encryption Myth

Let’s be clear here; Of the 261 pages of GDPR, the word ‘Encryption’ appears just 4 times;

  • “…implement measures to mitigate those risks, such as encryption.” (P51. (83))
  • “…appropriate safeguards, which may include encryption” (P121 (4.e))
  • “…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
  • “…unintelligible to any person who is not authorised to access it, such asencryption” (P163 (3a))

Does the term ‘may’, ‘such as’ and ‘as appropriate’ indicate that Encryption is mandated by GDPR, as some are suggesting? I don’t believe it does.

Do these terms suggest that Encryption is an OPTION and a good idea? Then yes, it does.

What many are clinging on to is the idea that if data is Encrypted, then reporting of a Data Breach to the data subjects is not necessary (Article 34). “Great News” I hear you cry… But wait.

If there is a breach, and the data is Encrypted then you have no regulatory requirement to inform the Data Subject. But what happens if the news gets out that you had a breach? What is the impact on your reputation? You may not have a regulatory requirement, but do you have a moral obligation?


Encryption is possibly the most technical word in the GDPR, and it gives no real context (Encryption at rest? In transit? Where is it Encrypted? What level of Encryption? Is Triple-DES ok? or do I need AES?)

My point is simply this; GDPR is far reaching and should be addressed as a business challenge. It has the best interests of the Data Subject at its heart. Let’s not take a few ‘sound bites’ and think we have all the solutions.

The regulations deserve more thought than that. And so do the Data Subjects.

Speak to a member of the team now on

03455 760 999

We would love to help you, ask for Gary:



GDPR Snake Oil