The new General Data Protection Regulations (GDPR) will come into force on May 25th, 2018 and if you make it through all 261 pages of the document, you’ll find the ICO hasn’t committed to an actual directive regarding encrypting data sent from a website’s web-form.
‘Encryption’ is mentioned 4 times in the document;
- …implement measures to mitigate those risks, such as encryption.” (P51. (83))
- …appropriate safeguards, which may include encryption” (P121 (4.e))
- …including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
- …unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
There are other ways to mitigate the risk when transferring data, other ways to make the data unintelligible and other safeguards, all more complicated (and more expensive) than SSL encryption.
We think the bottom lines is; if your website is sending data through a web-form you need HTTPS to ensure it’s encrypted in transit.