how to encrypt files for GDPR

Q: Is 7-Zip GDPR compliant?

Yes, but only if you specifically select the AES-256 encryption method and use a strong password. The default 'ZipCrypto' method is insecure and not compliant.

Q: What is the penalty for not encrypting personal data?

Fines can reach up to 4% of global turnover or €20 million, specifically for failing to implement technical measures like encryption under Article 32.

In 2024, European regulators issued a staggering €1.2 billion in total GDPR fines. While the headlines often focus on massive tech giants, a significant portion of these penalties targeted smaller organizations for a specific failure: “insufficient technical measures” to protect data.

If you handle the personal data of EU citizens, simply “keeping files safe” is no longer enough. Many businesses operate under the dangerous assumption that password-protecting a PDF or storing documents in a standard cloud drive constitutes compliance. It usually doesn’t.

To satisfy regulators and avoid crippling fines, you need to understand how to encrypt files for GDPR standards specifically. This means moving beyond basic passwords to implementation of AES-256 encryption protocols.

This guide moves beyond vague legal advice. We will walk you through the specific technical execution required to satisfy Article 32, protect your client data, and ensure that if a breach happens, your files remain unreadable to unauthorized eyes.

The General Data Protection Regulation (GDPR) is famous for being legally dense but technically vague. It rarely tells you exactly which software to buy. However, Article 32 is the cornerstone of technical compliance, specifically listing “encryption” as a primary measure to ensure a level of security appropriate to the risk.

While the text doesn’t explicitly mandate a specific algorithm, the interpretation by Data Protection Authorities (DPAs) is clear: you must use “state of the art” technology.

Rupert Brown, CTO & Compliance Expert at Evidology Systems, clarifies this ambiguity:

“GDPR does not specifically mandate any particular level of encryption… However, Article 32 lists encryption as an appropriate technical measure. In practice, this means using industry standards like AES-256 is effectively mandatory to avoid negligence claims.”

The “Safe Harbor” of Article 34

There is a massive strategic advantage to implementing proper file encryption beyond just avoiding fines. It acts as a form of insurance under Article 34.

If you suffer a data breach—perhaps a laptop is stolen or a server is hacked—you are generally required to notify all affected individuals within 72 hours. This is often where the reputational damage destroys a business. However, if the stolen data was encrypted effectively (rendering it unintelligible to the thief), you generally do not need to notify the affected individuals.

The financial impact of this difference is measurable. According to the IBM Cost of a Data Breach Report 2024, the average breach costs $4.88 million globally. However, breaches involving unencrypted data soar to an average of $5.9 million. Proper encryption doesn’t just protect data; it protects your bottom line.

For a deeper dive into your obligations, review our [GDPR Compliance Checklist].

What Counts as “Compliant” Encryption? (And What Doesn’t)

Not all “locks” are created equal. In the eyes of a regulator, using weak protection is often viewed as negatively as using no protection at all. To be compliant, you should aim for the industry gold standard: AES-256 (Advanced Encryption Standard, 256-bit).

AES-256 is used by governments and financial institutions worldwide. With current computing power, it is virtually uncrackable. When you are selecting tools or configuring software, you must verify that AES-256 is the underlying algorithm.

What is NOT Encryption

The most common compliance failures occur when staff confuse “password protection” with encryption.

Consider The HR Email Blunder: David, an HR manager at TechCorp, needed to send a payroll spreadsheet to an external accountant. He used Excel’s standard “Protect Workbook” feature and added a password, believing he was secure. The email was intercepted during a compromised transfer. Because older Office password protection is not true AES-256 encryption, the attackers cracked the file in minutes using free software. TechCorp was fined not just for the breach, but for using obsolete security measures that failed Article 32 standards.

Important Note: Adding a disclaimer to your email footer stating “this email is confidential” offers zero legal protection if you send unencrypted PII (Personally Identifiable Information).

The 7-Zip Trap

Archive tools like 7-Zip are popular for compressing and securing files. They can be GDPR compliant, but they are dangerous if configured incorrectly.

By default, many archive tools use a legacy encryption method called ZipCrypto to ensure compatibility with older Windows systems. ZipCrypto is insecure and easily broken. If you use 7-Zip, you must manually select AES-256 in the encryption method dropdown menu every time you create an archive. If your team forgets this step, your data is vulnerable.

Full-Disk vs. File-Level Encryption: Knowing the Difference

One of the most dangerous misconceptions in data security is the belief that “My laptop has BitLocker, so my files are safe.”

Full-Disk Encryption (like BitLocker on Windows or FileVault on macOS) is essential, but it has a limited scope. It protects your data only if your physical device is stolen while it is powered off. Once you turn your computer on and log in, the disk is decrypted.

If you attach a file to an email, upload it to a cloud server, or copy it to a USB drive, that file leaves the protection of your hard drive. It travels naked.

Scenario: The “Safe” Laptop Theft

Sarah, a family law attorney in Denver, manages assets for EU clients. She is security-conscious and ensures her laptop has BitLocker enabled. However, she uses a cloud storage service to sync her case files so she can work from home.

When her laptop was stolen from her car, the thief couldn’t bypass the BitLocker login. Sarah thought she was safe. However, on her home computer, she logged into her cloud account and saw that files had been accessed and modified.

The Analysis: While her disk was encrypted, the files she synced to the cloud were not. The thief didn’t need her laptop password; they likely accessed her cloud account via a session token or a different compromised device. Because she didn’t use File-Level Encryption before syncing, the data was exposed. Sarah faced a GDPR investigation for failing to secure “data in transit” effectively.

To ensure total compliance, you must encrypt the specific document itself before it leaves your control. For more on this, read our guide on [Cloud Storage Security].

Here is how to implement AES-256 encryption for your sensitive files today.

Method 1: Using Archival Tools (Free but Manual)

If you have zero budget and high technical discipline, you can use tools like 7-Zip (Windows) or Keka (macOS).

Install the software (ensure it is the official version).
Right-click the file or folder containing sensitive data.
Select Add to Archive.
Critical Step: In the settings window, find the “Encryption” section.
Change the Encryption Method from “ZipCrypto” to AES-256.
Enter a strong password (12+ characters, mixed case, numbers, and symbols).
Click OK. You can now safely transmit this encrypted file.

The Risk: This relies entirely on human memory. If a staff member forgets to switch to AES-256, you are non-compliant.

Method 2: Using Dedicated Encryption Software (Recommended)

Manual encryption is prone to error. As renowned cryptographer Bruce Schneier notes:

“Encryption works best if it’s ubiquitous and automatic… Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.”

Dedicated tools like sekura.app remove the “human error” variable.

Drag and drop your client files into the application.
The software automatically applies AES-256 encryption—there are no settings to “forget.”
Generate a secure link or encrypted package.
The tool handles key management, ensuring you don’t accidentally lock yourself out of your own data.

Using dedicated software ensures that every file leaving your organization meets the “state of the art” requirement of Article 32 without requiring your legal team to become IT experts.

Method 3: Encrypting Backups

Backups are a frequent target for attackers because they are often less guarded than live systems.

Consider The Archived USB Drive scenario: Dr. Aris, a therapist, diligently backed up 5 years of patient notes onto a USB drive. He stored it in a locked drawer. When his office was burgled, the drive was stolen. Because the files were readable text documents, he had to notify every single patient of the breach.

If Dr. Aris had encrypted the files with AES-256 before moving them to the USB drive, the theft would likely not have required patient notification under the GDPR “unintelligible data” safe harbor.

Action Item: Ensure any data moved to cold storage (USB, external HDDs, or archival cloud tiers) is encrypted at the file level before transfer.

Best Practices for Key Management

Encryption is only as secure as the password (key) used to lock it. If you encrypt a file with AES-256 but use “Password123,” you are not compliant. Furthermore, GDPR mandates availability of data. If you encrypt client files and lose the password, you have effectively destroyed the data, which is also a compliance violation.

Never send the password in the same channel as the encrypted file.

If you email an encrypted PDF to a client, do not include the password in that email. If a hacker has access to your email to steal the file, they have access to the password.

How to do it right:

Email the encrypted file.
Send the password via a secondary channel, such as SMS, Signal, or a verbal phone call.
Alternatively, use a tool that utilizes one-time access links.

For more details on handling credentials, refer to our [Secure Password Sharing Guide].

Frequently Asked Questions

Does password protecting a Word file count as GDPR encryption? Generally, no. Older Office password protection is weak and easily cracked. GDPR requires “state of the art” measures, which typically means AES-256 encryption. You should use dedicated encryption software rather than just document passwords.

Is 7-Zip GDPR compliant? Yes, but only if you specifically select the “AES-256” encryption method and use a strong password (12+ characters). The default “ZipCrypto” method in some archive tools is insecure and not compliant.

Can I send unencrypted files if I use a disclaimer? No. A disclaimer does not absolve you of the responsibility to secure personal data. Sending sensitive PII unencrypted is a direct violation of GDPR Article 32.

What is the penalty for not encrypting personal data? Fines can reach up to 4% of global turnover or €20 million. Regulators specifically target organizations that fail to implement Article 32 technical measures.

Conclusion

Encryption under GDPR is not optional; it is your primary defense against negligence claims and reputational ruin. The statistics are clear: 43% of enterprises failed compliance audits in 2024, and those organizations were 10 times more likely to suffer a breach.

Don’t let technical complexity be the reason you face a fine. Whether you use manual tools or automated software, the requirement is the same: protect the file, not just the device.

Ensure your client files are compliant today. Start your free trial of sekura.app to automate AES-256 encryption without the technical headache.