All stored sensitive information must be encrypted.
Systems usually store personal data, e.i. Personally Identifiable Information
(PII), medical records, credentials and other types of sensitive information.
All of these must be encrypted before being stored using safe cryptographic
This is also applicable when personal information must be temporarily stored
in the client-side storage.
The encryption prevents unauthorized actors that may have accessed the storage
system from obtaining the information.
GDPR. Art. 32: Security of processing.(1)(a).
The controller and the processor shall implement appropriate technical and
organizational measures to ensure an appropriate level of security,
including the pseudonymization and encryption of personal data.
GDPR. Recital 45: Protecting sensitive personal data.
Personal data which are, by their nature, particularly sensitive in relation to
fundamental rights and freedoms merit specific protection as the context of
their processing could create significant risks to the fundamental rights and
V6.1 Data Classification.(6.1.1)
Verify that regulated private data is stored encrypted while at rest,
such as personally identifiable information (PII), sensitive personal
information, or data assessed likely to be subject to EU’s GDPR.
V6.1 Data Classification.(6.1.3)
Verify that regulated financial data is stored encrypted while at rest,
such as financial accounts, defaults or credit history, tax records,
pay history, beneficiaries, or de-anonymized market or research records.