The 1998 Data Protection Act only implies that companies should consider encrypting sensitive customer information, but no “explicit” obligation is demanded under UK law. It says:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
However, while those technical measures could be interpreted as encryption, there is no suggestion under principle 7 of the DPA that says such action is an explicit requirement.
Source: TalkTalk plays ‘no legal obligation’ card on encryption