Research undertaken by Field Fisher Waterhouse into the existing legal framework mandating encryption of personal data in the EU and Asia details legal requirements and reveals a trajectory of data protection regulation towards encryption as a compliance imperative.


The litany of highly visible data breach incidents in 2012, further compounded by the steep penalties being delivered by data protection watchdogs, means that the pressure to protect the integrity and confidentiality of mission-critical information has never been greater.

With today’s businesses concerned with protecting what matters as they operate across international borders, and with cloud computing practices now commonplace, data protection legislation has been propelled to the forefront of the corporate agenda.

The research examines the legal obligation to encrypt personal data in both Europe – with particular focus on the United Kingdom, France, Germany and Spain, and in Asia – focusing on Singapore, South Korea and Japan. The study details that the obligation to encrypt information often extends beyond personal data to other forms of confidential, non-personal data, specifically in the finance sectors.

“As this research demonstrates, the intricacies and abundance of data protection regulations today are aggravating compliance concerns for businesses that operate in multiple environments and geographies,” said Stewart Room, partner and data security specialist in Field Fisher Waterhouse’s Privacy and Information Law Group. “With the increased demand for transparency following security breaches, and tougher monetary penalties and legal sanctions for negligence, encryption of data is not only a reasonable expectation – but a near necessity.”

The research further demonstrates how the legal focus on encryption has progressed from laptops and storage media to include databases, unstructured data, Big Data, the cloud and application data. In doing so, encryption represents the most comprehensive means of keeping sensitive data safe and certifying compliance.

“More and more companies today find themselves in a quandary trying to protect what matters by implementing a security solution that effectively protects their sensitive data while also satisfying myriad country-specific compliance regulations across the geographies where they operate,” said Paul Ayers, VP EMEA at Vormetric. “Encryption, with associated key management, effectively separates and defines who can access what data where, thereby mitigating not only the risk of an embarrassing data breach but also the associated legal ramifications for lack of security due diligence.”