When organisations transfer data, they inevitably compromise its security to some degree. It’s no longer secured behind physical defences, such as in a locked drawer in the organisation’s secure premises, and the means of transfer can be lost, stolen or hacked.
There’s not much organisations can do to eliminate data loss, so the problem becomes how to reduce the damage once the data is exposed?
This is a particularly pressing concern with the EU General Data Protection Regulation (GDPR) taking effect this year. The GDPR strengthens EU residents’ rights concerning their personal data and applies to all organisations in the world that process such data.
Although transferring data is often risky, it’s usually necessary. The US government’s attempt to ban USB flash drives failed because it was simply too impractical. Removable devices are incredibly helpful for moving files and keeping backups.
The GDPR asserts that data subjects have the right to data portability, which acknowledges the importance of removable devices. This allows individuals to obtain and reuse their personal data for their own purposes across different sectors. It applies:
- To personal data an individual has provided to a controller;
- Where the processing is based on the individual’s consent or for the performance of a contract; and
- When processing is carried out by automated means.
All personal data must be transferred in a structured, commonly used and machine-readable form.
Pseudonymisation and encryption
The GDPR advises organisations to pseudonymise and/or encrypt all personal data. This won’t stop malicious actors accessing the information altogether, but it will make it much harder for them. According to Gemalto’s Breach Level Index, only 4% of data breaches since 2013 have involved encrypted data.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Neither encryption nor pseudonymisation require technical knowledge to implement (which is good news for Home Secretary Amber Rudd). The difficulty for organisations is in putting in place suitable security policies and procedures and making staff aware of their obligations.
Our GDPR Staff Awareness E-learning Course is a flexible way of introducing your staff to the Regulation’s compliance requirements. It covers the scope of the Regulation, the key data protection roles, the principles for collecting and processing personal information, and how to apply the requirements to your organisation.
This course is suitable for all staff, and with the cost of data breaches rising every year, it’s essential that everyone in your organisation follows best practice for staying secure.