Last year the ICO updated their encryption guidance. Most folk missed it, but if you’re sending or storing anything with personal data, it’s worth paying attention.

They’ve gone with the new “must, should, could” setup (I love this one — we use it for dev). Encryption when you’re transmitting personal data lands squarely in “should”. In plain English: they expect you to do it. If it all goes pear-shaped and you weren’t encrypting, you’ll be explaining yourself — and “we never got round to it” won’t cut much ice when the tools are cheap and easy.

What they’re actually saying

• You must think about encryption right at the start when you’re designing any new process. Not as an afterthought.
• You must use proper in-transit encryption (TLS, none of that dead SSL nonsense).
• You must pair it with decent authentication — encryption on its own is just for show.
• You should encrypt personal data when you’re storing or sending it. That “should” carries weight.

Where most tools fall down

A lot of platforms say “encrypted” like it’s a magic word. Usually they just mean the padlock in your browser — encryption in transit. Grand while the file’s moving, but once it hits their servers they can still open it. And if they can, so can anyone with a court order or the right jurisdiction over them.

Proper end-to-end encryption is different. Only you and the person you’re sending to can read it. The platform is blind 🙈

Then there’s the CLOUD Act. If your provider is American-owned, US authorities can force them to hand over data no matter where the servers are sitting. “We’ve got UK data centres” sounds nice but it doesn’t change who controls the keys. Worst part? They wouldn’t even have to tell you it happened.

The bit that really hurts

For councils, letting down citizens is probably the worst bit, and the ICO fine just makes it worse.  

For law firms and professional services? The fine is often the least of your worries.

Imagine you’re handling sensitive defence specs or energy-sector contract data for a UK or European client. One day it leaks that US authorities grabbed it because your file-transfer tool was caught under the CLOUD Act. Clients don’t forget that. Neither does the SRA, your insurers, or the next pitch meeting.  

With Europe and the UK pushing hard on real data sovereignty and moving away from US-controlled infrastructure in critical sectors, that kind of exposure looks careless at best — and it’s getting harder to explain away. Clients expect more now. Jurisdictional governance isn’t a nice-to-have anymore.

What we did at safedrop

When we were building this, I made one rule from day one: we should never be able to read your files. Not “we promise we won’t” — we literally can’t.

Everything gets encrypted on your device before it leaves. The keys never leave UK infrastructure we control. Even if someone shows up with a warrant, we’ve got nothing to give them.

Every send leaves a proper audit trail that’ll stand up in court — who sent what, when it arrived, when it was opened. We’ve had customers use it to prove delivery when someone tried to claim otherwise.

And the person receiving it doesn’t need an account. They just click the link. Less hassle means less chance of someone saying “sod this” and emailing the file instead.

What to do instead of hoping for the best

1. Ask your current file transfer tool straight: can you lot actually open my files on your servers? Watch how they dance around the answer.  🤣
2. If they’re American-headed, have a proper think about the CLOUD Act and what it would look like if defence or energy client data ended up in US hands.  🇺🇸
3. Dust off your encryption policy. If it hasn’t been touched since the ICO updated the guidance last year, now’s the time.🔒

If you want to see how the zero-knowledge version actually feels in real life (no provider access, proper UK jurisdiction, recipients who don’t need accounts), the new platform is there to try for free.

Try safedrop free

See how the trust bit actually works

Angus Bradley

Founder, safedrop

safedrop is ISO 27001 and Cyber Essentials certified. Used by councils, law firms and enterprises who are fed up with tools that look secure on paper but leave you exposed when it matters.