Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards.
The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
Is encryption mandatory under GDPR?
Encryption is not mandatory under the GDPR. One way to determine if it is appropriate is to conduct a DPIA (data protection impact assessment). So, even if you only encrypt personal data, you are still processing it under the Regulation and must abide by its requirements.
Do emails have to be encrypted under GDPR?
Therefore, sending a normal email including personal or sensitive information without encryption is considered to be illegal under the GDPR.
What level of encryption is required for GDPR?
The most relevant part of the GDPR regulation related to encryption is Article 32 – “Security of Processing”. The actual text of the article is very readable and you can find a link in the Resources section below. Here is an extract from Article 32 (emphasis added):
Is encrypted data subject to GDPR?
As long as the key is well designed, the encrypted data is safe. The GDPR generally follows a binary approach to data in that it’s either personal or it’s not. If data is considered to be personal data, the full weight of the GDPR’s regulatory regime applies to any entity processing that information.