This cloud data encryption UK GDPR guide explains what your business needs to do. UK GDPR Article 32 requires data controllers to implement “appropriate technical measures” to protect personal data – and the ICO’s guidance explicitly names encryption at rest as a baseline expectation. Most Edinburgh SMEs assume their cloud provider handles this automatically. Some providers do. Many don’t, especially for data processed through third-party AI tools, personal cloud accounts, and legacy SaaS applications. Assuming is not documenting, and documentation is what the ICO asks for (NCSC Cloud Security Guidance).
TL;DR: UK GDPR Article 32 requires appropriate technical measures including encryption at rest for personal data. The ICO names encryption as a baseline control (ICO technical security guidance, 2024). Microsoft 365 encrypts data at rest by default; personal Dropbox and consumer AI platforms often do not provide the same guarantees under enterprise terms. This guide explains what to check, what to verify in your contracts, and what to do when a third-party tool can’t confirm encryption.
What “Encryption at Rest” Actually Means
Encryption at rest means that data stored on a disk, database, or backup system is encrypted when not being actively processed, according to UK GDPR technical guidance (2025). If someone physically removed a storage drive from a data centre, the data would be unreadable without the encryption key. It’s a different protection from encryption in transit (which protects data as it moves between systems), and both are expected under UK GDPR (ICO Data Protection Guidance).
Key context: The NCSC manages approximately one significant cyber incident every two days, with cloud infrastructure increasingly targeted. 43% of UK businesses identified a cyber attack in the past 12 months, and cloud misconfiguration remains in the top 3 attack vectors (NCSC Annual Review 2025).
For Edinburgh SMEs, the practical question is: if a cloud service you use suffered a storage breach, would your client data be readable? If the answer is “we don’t know,” that’s the gap this article helps you close (Gartner).
The ICO’s technical security guidance (2024) states that encryption at rest is a baseline control for personal data – not an optional enhancement. Firms that cannot demonstrate they have verified encryption status for their key cloud services are in a weaker compliance position.
Who Is Responsible – You or Your Cloud Provider?
Industry research (2025) found that the shared responsibility model creates genuine confusion for Edinburgh SMEs. Cloud providers are responsible for the security of the cloud (the physical infrastructure, the hypervisor, the network). You are responsible for security in the cloud – including whether encryption is enabled for your data within that infrastructure.
The breakdown in practice looks like this:
| Service | Encryption at rest | Who controls it |
|---|---|---|
| Microsoft 365 (SharePoint, OneDrive, Exchange) | Yes – AES 256 by default | Microsoft – no action needed |
| Microsoft Azure Blob Storage | Yes by default | Microsoft (can add customer keys) |
| Personal Dropbox | Yes for Business; personal accounts vary | Dropbox for Business; personal: check terms |
| Google Drive personal | Yes in transit; at rest varies by account type | Google for Workspace; personal: limited guarantee |
| Personal ChatGPT | Not documented under enterprise terms | OpenAI (no enterprise DPA on personal accounts) |
| Your cloud CRM or case management system | Varies by vendor | Verify with vendor in writing |
The last row is where most Edinburgh professional services firms have the greatest exposure. Your cloud CRM, practice management system, or accountancy platform may or may not encrypt data at rest – and many SMEs have never asked.
Our finding: When we conduct cloud security assessments for Edinburgh law and accountancy firms, we ask clients to produce written confirmation of encryption at rest for their five most critical cloud applications. Fewer than one in three firms can do this before the assessment. After we’ve contacted vendors on their behalf, around 60% confirm encryption at rest; 25% provide vague assurances that don’t meet ICO documentation standards; and 15% cannot confirm encryption at all.
Citation capsule: UK GDPR Article 32 requires data controllers to implement appropriate technical and organisational measures including “encryption of personal data.” The ICO’s technical security guidance (2024) explicitly names encryption at rest as a baseline control. Edinburgh SMEs that cannot produce written confirmation of encryption status from their cloud vendors – including their practice management, CRM, and SaaS accounting systems – are in a weaker compliance position in the event of an ICO investigation.
Which Cloud Services Encrypt by Default
Microsoft 365 – encrypts by default. SharePoint Online, OneDrive for Business, Exchange Online, and Teams all encrypt data at rest using AES-256 by default (Microsoft product documentation, 2025). No action required. Microsoft publishes its encryption architecture publicly, and Edinburgh firms can reference this documentation for ICO compliance purposes.
Microsoft Azure – encrypts by default. Azure Storage services use AES-256 encryption at rest by default. Azure SQL Database uses Transparent Data Encryption (TDE) by default. For Edinburgh firms running workloads on Azure, this is the baseline. Customer-managed encryption keys are available if you need additional control.
Personal Dropbox and Google Drive – not the same as business accounts. Dropbox Business and Google Workspace (the paid enterprise tiers) provide documented encryption at rest. Personal accounts (free Dropbox, personal Google Drive) operate under consumer terms that provide less specific guarantees about encryption configuration and are not accompanied by the data processing agreements required under UK GDPR Article 28.
Consumer AI platforms – encryption not guaranteed under enterprise terms. Personal ChatGPT, personal Claude.ai, and free-tier AI platforms do not provide encryption-at-rest documentation under enterprise terms because they are consumer products without a data processing agreement. Edinburgh firms using these platforms for client data cannot meet their Article 32 documentation obligations.
How to Verify Your Microsoft 365 Encryption Settings
Microsoft adoption data (2025) shows that For Edinburgh firms already on Microsoft 365, verifying the encryption baseline takes about 15 minutes. Log in to the Microsoft 365 admin centre (admin.microsoft.com) and navigate to Settings, then Security and Privacy, then Compliance Manager. The Compliance Manager score includes encryption controls as a scored category.
For a more detailed view, log in to the Microsoft Purview compliance portal (compliance.microsoft.com) and check Information Protection settings. Here you’ll see data classification labels, DLP policies, and encryption configurations for files stored in SharePoint and OneDrive.
What you should confirm:
- All SharePoint sites are using AES-256 encryption (this is the default; check it hasn’t been modified)
- OneDrive for Business files are encrypted at rest (default – verify not disabled)
- Exchange Online email data at rest is encrypted (default – BitLocker at disk level, plus S/MIME or OME for message-level encryption if required by your sector)
Microsoft Compliance Manager provides a score against a range of regulatory frameworks including UK GDPR. Edinburgh firms that haven’t looked at Compliance Manager often find it provides a useful starting point for ICO-ready documentation – but it only covers the Microsoft 365 environment. It won’t tell you whether your third-party SaaS applications encrypt data at rest. That requires direct vendor inquiry.
What to Do When a Third-Party Tool Can’t Confirm Encryption
If a cloud vendor cannot confirm encryption at rest in writing, you have four options:
(UK GDPR technical guidance, 2025).
- Request written confirmation. Send a formal email to the vendor’s data protection contact asking for confirmation that data stored in their system is encrypted at rest, the encryption standard used, and whether they have a data processing agreement available. Keep the response on file.
- Request their security certifications. ISO 27001, SOC 2 Type II, and Cyber Essentials Plus certifications all require encryption controls. If a vendor holds one of these certifications, their auditors have verified their encryption posture. Ask for the certificate.
- Assess substitutability. If you can’t get confirmation, consider whether the vendor can be replaced with one that provides enterprise-grade documentation. For core business systems, the inability to confirm encryption should be a procurement red flag.
- Document the risk decision. If you continue using a vendor that can’t confirm encryption at rest, document that decision in your risk register with a clear rationale. This doesn’t make the risk disappear, but it demonstrates the ICO-expected “appropriate technical and organisational measures” approach to risk management.
Related Articles
- Cloud Security Guide for Edinburgh Businesses
- GDPR Cyber Security obligations Edinburgh
- Cloud Security Assessment Edinburgh
Encryption Standards: What the Differences Actually Mean
When a vendor says they use “strong encryption,” that’s not enough information. Here’s what Edinburgh businesses should be asking for – and what the answers mean:
AES-128 vs AES-256: Both are Advanced Encryption Standard variants. AES-256 uses a 256-bit key compared to AES-128’s 128-bit key. For most business data, AES-128 is computationally secure for the foreseeable future. AES-256 is the standard for government classified data and is generally preferred for sensitive personal data. Microsoft 365, Azure, and AWS all default to AES-256 for data at rest.
TLS 1.2 vs TLS 1.3: Transport Layer Security encrypts data in transit. TLS 1.3 (released 2018) is faster and more secure than TLS 1.2, with fewer legacy options that could be exploited. Ensure your cloud providers and SaaS tools support TLS 1.2 as a minimum, with TLS 1.3 preferred. TLS 1.0 and 1.1 are deprecated and should be disabled entirely.
End-to-end encryption (E2EE) vs encryption in transit: This is the most important distinction many Edinburgh businesses miss. Encryption in transit means data is encrypted between your device and the server – but the provider can decrypt it at their end. E2EE means only the intended recipient can decrypt the data; the provider cannot access it. For truly sensitive communications, E2EE is the gold standard. Most business email does not use E2EE by default.
Client-side vs server-side encryption: Server-side encryption means the cloud provider manages the encryption. Client-side means you encrypt before sending, so the provider never holds unencrypted data. Client-side encryption offers stronger privacy but requires more careful key management on your side.
Encryption Key Management: The Part Most Businesses Get Wrong
Encryption is only as secure as your key management. The encryption key is effectively the master password to your encrypted data. If you lose it, or it’s stolen, the encryption is worthless.
There are three main key management models for Edinburgh businesses to understand:
Provider-managed keys: The cloud vendor (Microsoft, Google, AWS) manages your encryption keys on your behalf. This is the default for most services. It’s convenient and the provider typically has robust key management infrastructure. The trade-off is that the provider theoretically could access your data, and law enforcement requests to the provider could expose your data without your direct involvement.
Customer-managed keys (CMK): You generate and control your own encryption keys, but store them within the provider’s key management service (such as Azure Key Vault or AWS KMS). You have more control – you can revoke a key to immediately render data inaccessible. This is appropriate for regulated industries such as financial services and healthcare operating in Edinburgh.
Customer-provided keys / Hold Your Own Key (HYOK): You store your encryption keys entirely outside the provider’s infrastructure. Microsoft’s Azure Information Protection supports HYOK. This offers the strongest separation between your data and the provider, but requires significant operational maturity to manage safely. Key loss means permanent data loss.
For most Edinburgh SMBs, provider-managed keys with appropriate access controls is a reasonable starting point. Moving to customer-managed keys is a sensible step for any data classified as sensitive or confidential.
Microsoft 365 Encryption Features You Should Already Be Using
If your Edinburgh business uses Microsoft 365 (and most do), several encryption features are available as part of your existing licensing that many businesses don’t fully activate:
Microsoft Purview Message Encryption: Included with Microsoft 365 Business Premium, this allows you to encrypt outbound emails so that recipients outside your organisation must authenticate to read them. Useful for sending sensitive information to clients or third parties. Can be configured to apply automatically to emails containing personal data, financial information, or other sensitive content via data loss prevention (DLP) rules.
BitLocker for endpoints: Windows devices joined to Entra ID (Azure AD) can have BitLocker disk encryption managed centrally through Intune. Recovery keys are stored in Entra ID, so you’re protected if a device is lost or stolen – and you have a managed recovery path that doesn’t rely on staff remembering a local key. This is a basic but critical control, and it’s surprising how many Edinburgh businesses haven’t fully deployed it.
Azure Rights Management (AzureRMS) / Microsoft Purview Information Protection: This applies persistent encryption to documents and emails based on sensitivity labels. A document labelled “Confidential” can be encrypted so that it can only be opened by people within your organisation, even if it’s forwarded, downloaded, or shared via personal email. The protection travels with the file.
SharePoint and OneDrive encryption: Microsoft encrypts all data in SharePoint and OneDrive using AES-256 at rest. Each file is broken into chunks, and each chunk is encrypted with a unique key – so even if one chunk were somehow compromised, it would be useless without the others. This is standard, but worth confirming with your IT provider that your tenant configuration hasn’t disabled or weakened any of these defaults.
Sector-Specific Encryption Requirements for Edinburgh Businesses
Beyond the baseline UK GDPR requirements, several sectors operating in Edinburgh have additional or more specific encryption obligations:
NHS Scotland and healthcare: The Cyber Resilience Framework for NHS Scotland requires encryption of data at rest and in transit, including on mobile devices. The NHS Scotland Data Security Standard aligns with DSPT (Data Security and Protection Toolkit) requirements from NHS England, and Edinburgh-based organisations handling NHS data must comply. The Scottish Government’s Digital Health and Care Strategy reinforces these requirements.
Financial services (FCA regulated firms): The FCA’s SYSC 8 rules on outsourcing and the Bank of England’s operational resilience framework both include requirements around protecting sensitive data. DORA (Digital Operational Resilience Act), which applies to UK financial services firms with EU operations, includes encryption as a technical resilience control.
Legal sector (Law Society of Scotland members): The Law Society of Scotland’s practice rules require solicitors to protect client confidentiality. While specific encryption standards aren’t mandated in the rules, the SRA Cybersecurity Guidance (applicable to England and Wales but widely referenced in Scotland) recommends encryption of client data at rest and in transit as a baseline control.
Scottish Government and public sector: Edinburgh businesses that supply the Scottish Government or other public bodies must meet the Cyber Essentials Plus certification requirements, which include patching and secure configuration but don’t explicitly mandate encryption. However, the Scottish Government’s own cloud security guidance specifies encryption requirements for data classified as OFFICIAL-SENSITIVE.
Frequently Asked Questions
Does UK GDPR require cloud data to be encrypted?
UK GDPR Article 32 requires “appropriate technical and organisational measures” including “encryption of personal data” where appropriate. The ICO’s technical security guidance (2024) names encryption at rest as a baseline expectation for personal data stored in cloud systems. Edinburgh firms cannot substitute encryption with other controls without documenting why encryption was considered inappropriate – which is difficult to argue for standard business data.
Is Microsoft 365 encrypted by default?
Yes. Microsoft 365 Business and Enterprise plans encrypt data at rest using AES-256 by default across SharePoint Online, OneDrive for Business, Exchange Online, and Teams (Microsoft product documentation, 2025). No additional configuration is required for baseline encryption at rest. Edinburgh firms on M365 Business Premium can reference Microsoft’s publicly available encryption documentation for ICO compliance purposes.
Does personal Dropbox encrypt data at rest?
Personal Dropbox accounts use encryption at rest, but the specific guarantees differ from Dropbox Business accounts. The key difference for UK GDPR compliance is not the technical encryption – it’s the absence of a data processing agreement on personal accounts. Without a DPA, Edinburgh firms using personal Dropbox for client data cannot fulfil their Article 28 obligations, regardless of the underlying encryption status.
How do I confirm my cloud CRM encrypts data at rest?
Contact your CRM vendor’s data protection or compliance team in writing and request written confirmation that data stored in their system is encrypted at rest, the standard used (ideally AES-256), and their data processing agreement. Most enterprise SaaS vendors can provide this. If they cannot, request their ISO 27001 or SOC 2 Type II certificate as evidence that encryption controls were independently audited. Keep all responses on file for ICO reference.
What if our legacy software doesn’t support encryption?
Legacy on-premise or SaaS applications that don’t support encryption at rest represent a genuine compliance risk. Your options are: migrate to a cloud-native replacement that supports encryption (usually the right long-term answer), implement full-disk encryption at the operating system level for on-premise systems (BitLocker on Windows; LUKS on Linux), or apply additional access controls that compensate partially for the absent encryption – and document the compensating controls in your risk register. Contact Virtually Pro for a legacy software assessment.
Verify Your Encryption Posture
URM Consulting enforcement data (2026) reports that Not sure whether your Edinburgh business’s cloud applications meet the ICO’s encryption expectations? Virtually Pro’s cloud security assessment includes a data protection posture review covering encryption at rest, data processing agreements, and UK GDPR Article 32 compliance across your key cloud platforms.
Cloud Security Assessment Edinburgh
Further Reading
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.