Post-Quantum Cryptography for Privacy Teams: What to Prioritize Before the 2030 Deprecation Deadline

Table of Contents

Somewhere right now, an intelligence service or criminal syndicate is exfiltrating encrypted data it cannot read. Not because of an operational mistake — because of a strategy. The data is being warehoused for the day a sufficiently powerful quantum computer can retroactively strip the encryption off of it. The tactic has a name, “harvest now, decrypt later,” and it quietly rewrites one of the foundational assumptions of every privacy program: that properly encrypted personal data is safe personal data.

It is tempting to file quantum computing under “someday problems,” next to asteroid insurance. That would be a mistake, and increasingly, a compliance failure. The U.S. government has now issued three executive orders on the subject — Executive Order 14144 in January 2025, Executive Order 14306 amending it in June 2025, and most recently Executive Order 14412 — each pushing federal agencies and their vendors toward post-quantum cryptography on defined timelines. NIST finalized its first post-quantum encryption standards in August 2024 and has signaled that the classical algorithms securing most of today’s internet should be deprecated by 2030 and disallowed by 2035. The migration has started. The question for privacy teams is whether they are in the room for it.

Because here is the uncomfortable truth: this is not just a cybersecurity project. The decision about which data gets migrated first is a privacy decision. And the cheapest, most immediate defense against harvest-now-decrypt-later is not cryptographic at all — it is data minimization and retention discipline, the things privacy teams have been begging for budget to do for a decade.

The Threat in Plain English

Modern encryption comes in two flavors. Symmetric encryption — the same key encrypts and decrypts — is fast, strong, and largely quantum-resistant at adequate key lengths. The problem is that symmetric encryption requires both parties to already share a secret key, which is useless for the everyday miracle of securely connecting to a website you have never visited before.

That miracle is performed by asymmetric (public key) cryptography — RSA, Diffie-Hellman, elliptic curve — which depends on mathematical problems that classical computers cannot feasibly reverse, like factoring enormous numbers into their prime components. Public key infrastructure built on these algorithms underpins HTTPS, VPNs, digital signatures, software updates, and the initial handshake that establishes virtually every secure session on the internet.

In 1994, mathematician Peter Shor showed that a sufficiently large quantum computer could solve exactly those problems efficiently. Quantum machines exploit qubits — particles that can hold multiple states simultaneously — enabling classes of algorithms that classical hardware cannot run. Today’s quantum computers are far too small and error-prone to break RSA; credible estimates for a cryptographically relevant machine cluster around the early-to-mid 2030s, though the timeline is genuinely uncertain in both directions.

The uncertainty is precisely why the threat is current. An adversary does not need a quantum computer today to harm your data subjects tomorrow. They only need your ciphertext today and patience. Storage is cheap; petabytes of intercepted TLS traffic, stolen encrypted databases, and archived backups are being stockpiled against “Q-Day.” Any personal data that will still be sensitive in 2035 — Social Security numbers, biometric templates, health histories, immigration status, sexual orientation, financial records, genetic data — is effectively exposed now if it is transmitted or stored under quantum-vulnerable encryption and intercepted along the way.

The Regulatory Machinery Is Already Moving

Post-quantum migration stopped being a research topic and became a compliance obligation in stages:

  • The Quantum Computing Cybersecurity Preparedness Act (2022) required federal agencies to inventory quantum-vulnerable cryptography and plan migrations — establishing the crypto-inventory discipline that is now spreading into the private sector through procurement.
  • NIST’s finalized standards (August 2024): FIPS 203 (ML-KEM, for key establishment), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a hash-based signature backup), with an additional backup key-encapsulation algorithm, HQC, selected in 2025. There is no longer a “the standards aren’t ready” excuse.
  • NIST IR 8547 lays out the transition timeline: quantum-vulnerable algorithms like RSA-2048 and ECC deprecated after 2030, disallowed after 2035.
  • The executive order sequence (14144 → 14306 → 14412) directs agencies — and by extension the enormous federal contractor ecosystem — toward PQC adoption, with CISA publishing lists of acceptable, commercially available product categories that support post-quantum protections.

Private-sector obligations follow through existing law rather than new statutes, and this is where privacy teams should focus. GDPR Article 32 requires security measures appropriate to the risk “taking into account the state of the art.” As PQC standards mature and migration becomes commercially ordinary, continuing to protect long-lived special-category data exclusively with quantum-vulnerable encryption becomes progressively harder to defend as state of the art. The same logic runs through the CCPA’s reasonable-security duty (and the private right of action attached to breaches of it), state-law “reasonable security” requirements in the roughly twenty comprehensive U.S. privacy statutes, the FTC Safeguards Rule, NYDFS cybersecurity requirements for financial firms, and the HIPAA Security Rule’s risk-analysis mandate — which, as ongoing rulemaking pushes toward mandatory encryption, will inevitably confront the question of encryption that is known to have a shelf life.

Regulators will not fine anyone in 2026 for lacking ML-KEM. But “we had no crypto inventory, no migration plan, and kept twenty years of SSNs under RSA” is a fact pattern that will age very badly in a 2032 breach investigation.

Why This Is a Privacy Problem, Not Just a Security Project

Three reasons privacy teams cannot sit this one out:

1. Prioritization requires data knowledge only privacy has. No organization can migrate everything at once. The rational sequence is to protect first the data whose sensitivity outlives the encryption protecting it. Security teams know where the cryptography is; they do not know, unless privacy tells them, which datasets contain identifiers that will still be radioactive in 2040. A Social Security number harvested today is a 2035 identity theft. A session token harvested today is garbage in an hour. Your records of processing, data inventory, and data maps are the prioritization engine for the entire migration.

2. Harvest-now-decrypt-later collapses the “encrypted data is safe” assumptions baked into privacy programs. Breach notification analyses routinely treat encrypted data as not compromised. Cross-border transfer mechanisms lean on encryption as a supplementary measure post-Schrems II. Retention decisions get waved through because “it’s encrypted at rest.” Each of those judgments carries an unstated expiration date if the encryption is quantum-vulnerable and the data is long-lived. DPIAs for new systems processing durable sensitive identifiers should start addressing cryptographic longevity explicitly.

3. The best countermeasure is already in the privacy toolkit. Data that was deleted in accordance with a retention schedule cannot be harvested. Data that was never collected cannot be decrypted on Q-Day. Minimization, purpose limitation, and aggressive retention enforcement are post-quantum controls that work today, cost less than any cryptographic migration, and are already legally required. The quantum threat is, among other things, the strongest business case ever handed to a privacy team asking to finally clean out the data warehouse.

A Practical Post-Quantum Readiness Plan for Compliance Teams

Step 1: Build the intersection of your data inventory and your crypto inventory. Security owns the cryptographic bill of materials (which systems use which algorithms, keys, certificates, and protocols). Privacy owns the data inventory (what personal data lives where, how sensitive it is, how long it is kept). Post-quantum risk lives at the intersection: quantum-vulnerable encryption protecting long-lived sensitive personal data. Produce that joined view, even in rough form. It will immediately surface your priority systems — typically HR and payroll (SSNs), identity verification stores, health data, biometric systems, and long-retention archives and backups.

Step 2: Score data by “sensitivity horizon.” For each dataset, ask one question: if this were decrypted in 2035, would anyone be harmed? Ephemeral operational data scores low. Immutable identifiers — SSNs, biometrics, genetic data — and durable facts — diagnoses, orientation, immigration history — score maximum. This single field, added to your data inventory, converts it into a PQC migration roadmap.

Step 3: Attack retention first. Every record deleted before Q-Day is a record that never needs migrating. Enforce existing retention schedules, shrink them where legally possible, and pay special attention to backups and archives — the densest concentrations of old, sensitive, quantum-vulnerable ciphertext in most organizations, and the ones most likely to be forgotten.

Step 4: Push PQC into vendor risk management. Your data’s cryptographic exposure is mostly your processors’ cryptographic exposure. Add post-quantum questions to security questionnaires and DPAs: Do you maintain a cryptographic inventory? What is your PQC migration timeline? Do you support or plan to support NIST-standardized algorithms (FIPS 203/204/205) or hybrid key exchange? Major cloud and browser providers have already begun deploying hybrid post-quantum TLS — vendors with no answer at all are telling you something.

Step 5: Demand crypto-agility in procurement. The specific algorithms matter less than the ability to swap them. Systems purchased today with hard-coded cryptography will still be running in 2035. Contract language requiring cryptographic agility and a committed PQC roadmap costs nothing now and saves a forced replatform later.

Step 6: Update DPIAs, transfer assessments, and breach playbooks. Build cryptographic longevity into DPIA templates for systems handling durable identifiers. Revisit transfer impact assessments that lean on encryption as the operative safeguard. And decide, before you need it, how your incident response process will treat the theft of encrypted data that is quantum-vulnerable — because “encrypted, therefore no notification” is a conclusion, not an analysis, and it gets weaker every year.

Step 7: Document the program. As with every other compliance domain, the defensible position is not perfection but demonstrable, risk-ranked progress: an inventory, a prioritization rationale grounded in data sensitivity, a timeline aligned to NIST’s 2030/2035 milestones, and evidence of vendor engagement. That paper trail is what separates “the state of the art moved and we moved with it” from negligence in hindsight.

The Window Is the Point

The strange gift of the quantum threat is that it announced itself decades in advance. Organizations get to choose whether Q-Day arrives as a managed transition or as a retroactive breach of everything they ever transmitted. The choice is being made now, dataset by dataset, retention decision by retention decision — and the organizations that will handle it well are the ones where privacy and security are prioritizing the migration together, using the data inventory as the map.

Your cyber colleagues can secure the data. They cannot know which data matters most unless you tell them. That is the privacy function’s job, and the clock — however many years remain on it — is already running.

Get Your Data Inventory Q-Day Ready With Captain Compliance

Every step above starts from the same foundation: knowing exactly what personal data you hold, where it lives, how sensitive it is, and how long you keep it. Captain Compliance gives privacy teams that foundation — automated data inventories and processing records, retention and minimization workflows that shrink your harvestable footprint, vendor disclosure and assessment tooling to push post-quantum questions down your processor chain, and continuous monitoring across every website and system you operate. When the security team asks which systems to migrate first, you will have the answer in front of you.

Book a demo with Captain Compliance and turn your data inventory into your post-quantum migration roadmap.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.