Encryption

Encryption is a method for protecting information by converting data into an unreadable form that can only be restored with a key.

Explained – what does encryption mean?

Encryption is a technical safeguard used to protect personal data and other sensitive information from unauthorised access. The concept is central to data protection and is referenced in GDPR. A GDPR lawyer will consider the use of encryption as part of a risk assessment of the processing of personal data. Unlike pseudonymisation, which masks data but can still be linked to an individual using complementary information, encryption renders data wholly unreadable without the correct decryption key.

When is encryption relevant for personal data?

Encryption is relevant wherever organisations process personal data or other sensitive information that must be protected against unauthorised access. This includes, for example, data transmission over the internet, storage of customer records, or handling internal registers. It can also be applied to email communication to ensure only the intended recipient can read the content and to support information security in transit and at rest.

Illustration of secure digital communication showing a smartphone and laptop with encrypted email and messaging icons, symbolizing data protection, cybersecurity, and privacy.

Key considerations for encryption and access controls

There are several factors organisations should consider when implementing encryption. The following points are essential for robust information security and effective risk assessment.

  • Select an encryption method that satisfies GDPR security requirements and other applicable regulations.
  • Ensure encryption keys are managed in a structured and secure manner, with clear access controls.
  • Assess whether encryption is required for both transmission and storage (encryption in transit and encryption at rest).
  • Review regularly that the encryption solution, including any encryption algorithm, is up-to-date and effective.
  • Document the use of data encryption in the organisation’s internal security policies.
  • Train staff on the correct use of encrypted systems and related access controls.
  • Distinguish clearly when encryption and pseudonymisation are appropriate, as they serve different purposes.

By addressing these areas systematically, an organisation can demonstrate that it takes information security seriously and that the protection of personal data is firmly embedded. Encryption is a technical safeguard, but to be fully effective it must be combined with organisational measures, such as training and clear internal procedures aligned with GDPR security requirements.

Encryption

Why is encryption important for information security?

Encryption is a central element of data protection and a technical safeguard. To achieve comprehensive protection, it must always be complemented by organisational measures, such as policies and role-based access controls. For organisations that process personal data, encryption is one way to meet data protection requirements under GDPR and thereby reduce the risk of a data breach and subsequent sanctions.

Using encryption builds confidence among customers and business partners. It strengthens trust that data is handled responsibly and that individuals’ privacy is respected. This is particularly important at a time when cyberattacks and the risk of a data breach are steadily increasing.

Encryption also supports long-term resilience in information handling. When an organisation invests in secure technical solutions—such as strong encryption keys and well-governed key management—it signals that security and integrity are priorities, which in turn supports relationships with authorities and the market.

Frequently asked questions about encryption

Companies should use encryption when personal data is processed in a way that may infringe privacy, for example during transmission over open networks or when storing sensitive information. Applying encryption at rest and in transit is a practical way to mitigate risks identified in a risk assessment and to prevent a data breach.

Technical safeguards are solutions based on IT and systems, for example encryption or firewalls. Organisational safeguards are internal procedures and governance that complement technology.

  • Technical safeguards: data encryption, pseudonymisation, access controls.
  • Organisational safeguards: staff training, internal policies, control of permissions.
  • Both are necessary for comprehensive data protection in line with GDPR security requirements.

Encryption uses algorithms to convert information into a coded form that can only be interpreted with a decryption key. This can be applied during data transmission and storage. The level of protection depends on the strength of the encryption algorithm and on effective management of the encryption key.

  • Symmetric encryption uses the same key for encryption and decryption.
  • Asymmetric encryption uses different keys to encrypt and decrypt.
  • The level of protection depends on the algorithm’s strength and key management.

GDPR highlights encryption as an example of technical safeguards that can protect personal data. By using encryption, organisations demonstrate a proactive approach to data protection and reduce potential harm in the event of an incident or data breach.

  • It reduces the risk that data can be exploited following an attack.
  • It strengthens customer trust.
  • It may be a mitigating factor during regulatory oversight by the Data Protection Authority.

The controller is ultimately responsible for ensuring that encryption is appropriately used. This means senior management must ensure processes, resources and technical solutions are in place to meet data protection requirements.

Encryption and pseudonymisation are distinct safeguards that are often confused. Encryption makes data unreadable and can only be reversed with the correct key, while pseudonymisation removes identifiers, for example by replacing them with codes or numbers that require separate information to re-identify an individual.

  • Encryption is a technical process that can be reversed with the correct decryption key.
  • Pseudonymisation makes data indirectly identifiable but not unreadable.
  • Encryption protects against unauthorised access; pseudonymisation limits the link to individuals.
  • Both are used under GDPR but with different purposes and applications.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields