Global Encryption Day: Why Encryption Is a Core Requirement

Posted on

Today, 21 October, is Global Encryption Day. Led by the Global Encryption Coalition, the campaign’s message is simple: “In uncertain times, encryption keeps us safe.”

For organisations, it’s also a timely reminder that encryption isn’t optional, but a core control embedded in almost every major security and privacy framework and law – from the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001 to the GDPR (General Data Protection Regulation).

This blog post explains why encryption is essential and how to strengthen your organisation’s approach.

The risks of unencrypted data

Data breaches remain one of the most damaging cyber risks. Attackers often don’t need sophisticated tools, either – many incidents succeed because sensitive data is left unencrypted. If they gain access to databases, email servers or backups, they can immediately read and exploit the data.

According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a breach has risen to $4.45 million. Breaches involving unencrypted data are typically far worse because the attacker obtains everything in plaintext.

Encryption converts readable information into cipher text that’s useless without a decryption key. If data is stolen but properly encrypted, the impact is minimal.

Regulators and lawmakers recognise this: under the GDPR, a breach of encrypted personal data may not require notification if the encryption remains intact. In contrast, storing personal data in plaintext is likely to be treated as negligence.

Beyond fines and other regulatory action, the reputational harm from exposing unprotected data can last for years. Encryption is therefore both a compliance requirement and a business necessity.

Encryption across major frameworks and laws

Although each framework uses different terminology, the message is consistent: encryption protects confidentiality and is required wherever sensitive data is stored or transmitted.

The PCI DSS

The PCI DSS demands encryption for any cardholder data.

  • Data at rest: Requirement 3 mandates that organisations render stored PANs (primary account numbers) unreadable using strong cryptography, tokenisation or truncation.
  • Data in transit: Requirement 4 insists on encryption whenever card data crosses public networks, typically via TLS or VPNs.

The PCI DSS also specifies key management procedures, such as protecting, rotating and destroying keys securely. Failure to encrypt payment data can result in loss of compliance and severe penalties from acquiring banks.

ISO 27001

The international information security management standard includes cryptography as an Annex A control and requires organisations to use encryption where necessary to maintain confidentiality, integrity and availability.

ISO 27001 does not prescribe particular algorithms, but auditors expect to see a clear cryptography policy, documentation of where encryption is applied and evidence of encryption key management practices. For ISO 27001-certified organisations, encryption underpins the CIA triad’s confidentiality principle.

The EU GDPR and UK GDPR

The General Data Protection Regulation names encryption as a key security safeguard. Article 32 obliges controllers and processors to implement “appropriate technical and organisational measures” and specifically lists encryption as an example.

The ICO (Information Commissioner’s Office) recommends encrypting all personal data at rest and in transit, particularly on portable devices and backups. If encrypted data is breached but the keys remain secure, the risk to individuals – and the likelihood of fines – is low. In practice, any organisation processing personal data is expected to use encryption routinely.

Building an effective encryption strategy

Global Encryption Day is an opportunity to review how well encryption is implemented across your organisation. The following practices are essential to meeting both security and compliance goals.

  • Encrypt data at rest and in transit
    Encryption should cover all stored data – databases, laptops, backups and Cloud storage – and all data transfers, including internal services and email. Gaps are common when organisations protect one but not the other. Both the PCI DSS and GDPR explicitly require encryption for data in motion as well as data at rest.
  • Use strong, up-to-date encryption
    Outdated algorithms give a false sense of security. Industry norms include AES-256 for data encryption and TLS 1.2 or higher for network traffic. Weak or deprecated ciphers such as MD5, SHA-1 or old SSL/TLS versions are no longer compliant. Regularly review encryption settings to ensure they align with current standards.
  • Manage encryption keys securely
    Key management is as important as encryption itself. Store keys separately from the data they protect, restrict access, rotate them periodically and retire any that are compromised. Use hardware security modules or managed key-vault services where possible. Never hard-code keys into applications or configuration files.
  • Document policies and train staff
    A written encryption policy should define when encryption must be used, how keys are managed and which algorithms are approved. Staff must understand these requirements, particularly when handling personal or financial data. Human error – such as emailing unencrypted spreadsheets – remains a major cause of breaches.
  • Combine encryption with other controls
    Encryption protects data confidentiality, but not necessarily integrity or availability. It should form part of a layered security approach alongside access controls, patching, monitoring and backups. Poor implementation – for instance, weak passwords or lost keys – can still lead to compromise or data loss.

Practical next steps

On Global Encryption Day, take time to evaluate your current arrangements.

  1. Audit coverage
    Identify where sensitive data resides and confirm that it’s encrypted both in storage and in transit.
  2. Check compliance
    Map your controls against the frameworks that apply to you.
  3. Update tools and configurations
    Disable obsolete protocols, adopt stronger algorithms and ensure software libraries are current.
  4. Review governance
    Refresh your encryption policy, ensure key-management procedures are documented, and verify that responsibilities are clear.
  5. Educate staff
    Remind everyone handling sensitive data that encryption is mandatory and straightforward to apply with approved tools.

If gaps appear, seek expert guidance. Implementing encryption correctly can be complex, and external consultancy or training can help ensure compliance and reduce risk. IT Governance offers consultancy, toolkits and e-learning to support organisations implementing PCI DSS, ISO 27001 and GDPR controls – all of which include encryption.

A year-round priority

Encryption is for life – not just Global Encryption Day. It’s one of the few controls that directly prevents data from being misused even after a breach. It underpins the confidentiality principle of every major framework and demonstrates due diligence to regulators and customers alike.

This Global Encryption Day, take the opportunity to confirm that your encryption measures are strong, current and comprehensive. In doing so, you’ll not only align with ISO 27001, the PCI DSS and the GDPR, you’ll also strengthen your organisation’s resilience in a world where data security has never mattered more.

And if you need help addressing your compliance obligations under ISO 27001, the PCI DSS or the GDPR, we’re here to help.

Talk to an expert today

The post Global Encryption Day: Why Encryption Is a Core Requirement appeared first on IT Governance Blog.

Related Posts