- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
In my line of work I have to consider the upcoming GDPR (General Data Protection Regulation) 2018 which means ensuring that the organisation is compliant as far as possible.
Like MOST organisations this includes ensuring USB sticks are compliant too.
I wanted to show you my interpretation of the encryption requirement detailed here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/?q=encrypted
I will summarise the documentation guidance below but feel free to read it yourself.
Summary
GDPR follows DPA guidelines on data transportation. https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/transferring-personal-data-by-usb-device/
A user can use any USB storage device as long as there is no personal data on it and it must fulfil the following:
Original Documentation
Like MOST organisations this includes ensuring USB sticks are compliant too.
I wanted to show you my interpretation of the encryption requirement detailed here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/?q=encrypted
I will summarise the documentation guidance below but feel free to read it yourself.
Summary
GDPR follows DPA guidelines on data transportation. https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/transferring-personal-data-by-usb-device/
A user can use any USB storage device as long as there is no personal data on it and it must fulfil the following:
- If the device has previously contained ANY personal data, it must be securely wiped (format is not sufficient) first.
- IF a user needs to transfer ANY personal data, it must be encrypted by either SOFTWARE or HARDWARE encryption methods.
- ANY decryption key (or password) transfer must be sent separately to the device if transferred between individuals
Original Documentation
USB devices offer a convenient way to transfer data between two computers. However, their small physical size and large data capacity means that large volumes of personal data can be lost or stolen with relative ease.Furthermore, if personal data is not securely wiped from USB devices prior to reuse there is a possibility that data considered deleted by the data controller could be recovered by a third-party.Personal data can be encrypted by placing the files within an encrypted container on a USB device but requires the recipient to have access to the same encryption algorithm or software.Hardware encrypted USB devices are also available which contain the necessary encryption capability embedded within the device, meaning that the data can be decrypted without the need for the user to install additional software. Due to a number of security risks present in permitting the use of USB devices, a number of organisations have implemented policies which forbid or technically limit the functionality of USB devices.The sender would also need to consider a method to transfer the key or password to the recipient over a separate communication channel.
Comments