No matter who you are, you will have likely heard about the imminent introduction of GDPR on 25th May 2018. But, what exactly is it? And, how will USBs be affected?
To help ensure your business is compliant with the new EU regulation, we’ve created this short guide to managing data on Encrypted USB Sticks
What is GDPR?
First of all, we need to explain what GDPR (General Data Protection Regulation) is. Essentially, it’s a new regulation that seeks to replace the outdated Data Protection Directive. Companies and organisations who deal with data relating to anyone in the UK or EU will have to adhere to these new rules and regulations, which include the following:
- Appointing a Data Protection Officer (DPO) to manage data and report data breaches to governing bodies.
- Establish security processes to protect all sensitive data you handle.
- Understanding consent – all companies must be able to prove consent to contact individuals beyond the original transaction.
Those who do not adhere to the new regulations can be fined up to 2% of their annual turnover or €20 million whichever is greater in value.
How do you become compliant?
Making small changes to everyday processes where data is used or held and adopting best practices is what GDPR is all about.
Auditing your data should be the first step. You need to understand where your data is stored to ensure it’s secure and that you only hold data that’s key to maintaining communication with your clients, customers, or suppliers.
When it comes to addressing security, create processes that remove data siloes and identify whether your data resides on employee desktops or cloud-based servers, for example, to ensure you can create processes to protect data even if it’s copied by employees onto portable media such as USB drives.
What’s important to note, is that you won’t be GDPR compliant without addressing USB data loss.
That means, whether you are a large company using USBs as a convenient backup device, or a wedding photographer storing your customer’s photos on a USB drive, it is important to make sure that only you and your clients can access that data.
There are a few simple steps to implement that will ensure everyone is compliant no matter what purpose they have for storing data on USBs.
Setting up encryption and tracking
There are many legitimate uses for USB drives and many companies continue to favour their use for moving large files, maintaining backups, protecting you against ransomware attacks, and helping you recover from interruptions, along with a mobile way of accessing data. USB devices offer a convenient way to transfer data between two computers. However, their small physical size and large data capacity mean that large volumes of personal data can be lost or stolen with relative ease.
Some companies are implementing visibility tools that allow them to manage the use of USB drives, with the ability to block the movement of data onto drives.
Adding the ability to track the usage of these devices can help you identify who is accessing them. More importantly, it allows you to block access where necessary. This method may be more useful to larger companies with multiple users.
There are several tools out there that offer tracking, such as My USB Tracker and IHound. If this is a path you want to go down for your client, these are worth looking at, then should anyone query your data management and security processes, you can be completely transparent and provide details of these tools, along with your compliance to GDPR.
This is likely to be the more common and popular way of securing USB devices. Encrypting a drive is like shutting the drive off with a padlock and key, in which you only provide the key to those authorised to access it. Encryption scrambles all the data on a drive so it only makes sense to the person that enters the right password. This solution is much easier to follow and is therefore ideal for smaller businesses.
At USB Makers, we have a lot of photography clients that love to share their photos and data on customised USB drives in well-presented boxes. Even this could fall under GDPR compliance depending on the data that is stored on the drives. However, there is some basic step-by-step instructions you can follow to encrypt the data on the drive and simply give your clients the password to unlock. This ensures you have taken the right steps to keep personal data safe.
If you do hold data that applies to a citizen of the UK or EU on USBs, it’s recommended that you encrypt your USBs so that the data they contain cannot be read by anybody other than the authorised user.
In the case whereby an encrypted USB is stolen or lost, it is classed as a security breach rather than a data breach and therefore you don’t have to report this to the supervisory authorities.
Here are some basic steps you can follow to encrypt your USB drive:
How Encryption for Mac users
If you’re a Mac user, you’ll need to make some modifications to your USB drive first. Here’s what you’ll need to do:
- Apple uses the HFS+ filesystem to encrypt removable media, so the drive will need formatting using that filesystem. To begin, open the Disk Utility app, select your USB drive, and pick Erase.
- Choose the macOS Extended (Journaled) format and erase the drive, formatting it with the proper filesystem.
- In the Finder, right-click your USB drive. Select “Encrypt” and enter a password to keep uninvited guests out.
- Encryption isn’t instant, so be prepared to wait a few minutes.
Encryption for Windows 10 users
Windows features its own built-in file encryption software called BitLocker. It works with NTFS, FAT, or FAT32 filesystems. Here’s what you’ll need to do:
- Navigate to your drive, right-click and choose “Format” to select which filesystem you want to use on your newly formatted drive.
- Select the drive in your file explorer and hit the Manage tab up top.
- Select BitLocker, then turn BitLocker on.
- Enter your password – you’ll have to do this twice.
- Save your recovery key to your Microsoft account.
Securing your hardware by encrypting your flash drive beforehand will prevent unauthorised individuals from gaining access to your data. It won’t get your flash drive back, but you’ll know that you and your data aren’t in danger.
So, there you have it, a quick and speedy guide to making sure you are compliant with any data stored on USB drives. At USB Makers we provide all kinds of custom USBs for our clients with all kinds of data, so we are regularly giving this advice. If you have any questions about whether you are taking the right steps for GDPR please get in touch.