GDPR, and encrypting a USB drive

[WitchyBach]

This is probably a very basic question, but here goes. 

 

I run a very small business, and commute to different places to run courses at different venues. I work on my gaming pc, a laptop, and a little rig I built. They all run Windows 10 home edition. 

 

I have a 200+gb USB drive that I would like to use to carry data to and from courses if required, and to store my company data on so that I have all the files in one place (and backed up somewhere else for latency).

 

Can anyone please recommend a good reputable, and affordable, method of encrypting the USB drive so that I am GDPR compliant?

 

TIA 

[Origami Cactus]

If you had win 10 pro you could use Bitlocker to encrypt the drive, otherwise if you have samsung external ssd you could use their encryption.

[rcmaehl]

General encryption using Veracrypt should be fine. Bitlocker may also work but there's known backdoors in it and I wouldn't trust it.

 

Per: https://www.zettaset.com/blog/gdpr-compliance-encryption-requirements/

 

Quote

Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.

 

[FlappyBoobs]

Encryption has nothing to do with GDPR compliance. (it's an over exaggeration to saying nothing, but it's not a solution to become compliant)

 

If you have customer personal data stored and you have a valid reason and the permission of the data subject to have that data, then you are GDPR compliant. (I've just finished my second GDPR audit, so I don't have the energy to get into the details of the finer points of when you are compliant or not)

 

Encryption of the data and storing it securely is more about ISO 27001 compliance not GDPR. (but worth noting that your systems must be secured via procedure as a minimum, but prefered via technical means, your current procedure of taking customer data around with you is a massive GDPR fail) 

 

Encryption alone is not enough to "secure the data" because the GDPR talks about people view OR gaining access to the data, just because it is encrypted doesn't mean they don't have access is the line my lawyers have given me about this.

 

But anyway upgrade windows 10 to the pro edition and use bitlocker, or just use secure USB drive that encrypts automatically. 

 

 

Personally I think that you need to hire a lawyer and go talk to them about what you need to be aware of when running a company, because it doesn't sound like you really know what you need to do to be compliant with the law.

[WitchyBach]

On 3/28/2019 at 2:36 PM, FlappyBoobs said:

Encryption has nothing to do with GDPR compliance. (it's an over exaggeration to saying nothing, but it's not a solution to become compliant)

 

If you have customer personal data stored and you have a valid reason and the permission of the data subject to have that data, then you are GDPR compliant. (I've just finished my second GDPR audit, so I don't have the energy to get into the details of the finer points of when you are compliant or not)

 

Encryption of the data and storing it securely is more about ISO 27001 compliance not GDPR. (but worth noting that your systems must be secured via procedure as a minimum, but prefered via technical means, your current procedure of taking customer data around with you is a massive GDPR fail) 

 

Encryption alone is not enough to "secure the data" because the GDPR talks about people view OR gaining access to the data, just because it is encrypted doesn't mean they don't have access is the line my lawyers have given me about this.

 

But anyway upgrade windows 10 to the pro edition and use bitlocker, or just use secure USB drive that encrypts automatically. 

 

 

Personally I think that you need to hire a lawyer and go talk to them about what you need to be aware of when running a company, because it doesn't sound like you really know what you need to do to be compliant with the law.

Wow, you stooped pretty low pretty quickly. I asked because my awarding body has requested it as part of my accreditation, and stated that it was a GDPR compliance issue. So please don't patronise me. Thank you for the brief explanation about the differences between GDPR and ISO 27001, that was helpful. However your last sentence was just plain rude and uncalled for. I have been running this business completely GDPR compliant (apparently, from what you've told me, and I'll now look further in to it and respond to my awarding body with supported data) and legally for years now, so please think before you type. I seriously hope no new business people ever come to you for help. 

 

P.S. you didn't need to help, you could have just moved on down the forum rather than being rude.

[FlappyBoobs]

13 hours ago, WitchyBach said:

Wow, you stooped pretty low pretty quickly. I asked because my awarding body has requested it as part of my accreditation, and stated that it was a GDPR compliance issue. So please don't patronise me. Thank you for the brief explanation about the differences between GDPR and ISO 27001, that was helpful. However your last sentence was just plain rude and uncalled for. I have been running this business completely GDPR compliant (apparently, from what you've told me, and I'll now look further in to it and respond to my awarding body with supported data) and legally for years now, so please think before you type. I seriously hope no new business people ever come to you for help. 

 

P.S. you didn't need to help, you could have just moved on down the forum rather than being rude.

It wasn't meant to be rude, you didn't have to take it that way. With what you have said here you have demonstrated a lack of knowledge on the subject, a subject I know very well, you and your "accreditation body" may disagree and that's fine, but my thoughts that you need a second opinion from a legal professional are very valid.