8
May
2018

Will the arrival of GDPR effect the usage of Flash Drives?

GDPR header image of laptop with pad lock in EU flag

Unless you have been living under a large rock you’ll have no doubt heard of the terrifying acronym GDPR. It’s likely you’ve spent the last few months scrambling around frantically trying to establish exactly what data you have, why you’ve got it, where you got it from, what on earth you’re going to do with it. Being a merchandise man, I am particularly interested in how GDPR might affect one of the most successful corporate gift items of all time – our trusty friend the USB Flash Drive!

Despite the adoption of Cloud storage by many individuals and companies, many still routinely use flash drives to store data. A big reason for this is that flash drives represent excellent value for money and let’s face it – nothing compares to keeping valuable data in one’s pocket.

However, …. If the data being stored is of a sensitive nature (concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences) this could pose a serious problem when it comes to GDPR compliance!

Fear not though for there exists a very special GDPR Flash Drive that enables a user to store such sensitive data without fear of falling foul of GDPR compliance through something called data encryption. This means that instead of GDPR being a setback for the flash drive as a viable corporate give-away, it’s a big opportunity.

First and foremost, if a user of a flash drive isn’t storing personal GDPR sensitive data then there simply isn’t a problem. If, however the user is, then they’ll be interested in the following information:

Unlike regular Flash Drives, a GDPR Flash Drive is Hardware Encrypted (not software encrypted), password protected, comes in 8GB 16GB 32GB or 64GB memory sizes and can be printed with a clients logo and message.

Can a Flash Drive be GDPR compliant?

This is a simple question and one that I suspect we will be asked by those who are interested in a “GDPR” Flash Drive. The answer however, isn’t quite so simple.

What is data encryption?

Encryption is a technique of ensuring confidentiality by encoding data such that it cannot be read by anyone not authorised to do so. Even if an information system is breached and data stolen, the data would prove worthless to a criminal that lacked the keys to unlock the encryption – or the processing power to force the lock by trying every combination of possible codes.
A GDPR Flash Drive is Hardware Encrypted using the 256bit AES algorithm, this is also referred to as “military-grade encryption”.

Is encryption mandatory for GDPR compliance?

Although the words encryption can be found in the EU GDPR, it’s only mentioned a few times, and in each instance, it’s modified with words like “such as”, “may include”, and “as appropriate.” A strictly legal analysis of the real-world difficulties in implementing encryption would probably conclude that encryption cannot be made mandatory.

What do the ICO suggest?

If the data to be protected is particularly sensitive, then the use of encryption is very strongly recommended (if not mandatory) and its robustness/assurance should also be of a high quality. This is particularly pertinent when handling personal data as losses or mishandling of personal data could result in considerable fines and legal action. The General Data Protection Regulation 2018 states that encryption is a shall for personal data as shown below:

• Article 32 – Security of Processing: Para 1: The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: Para 1a: The pseudonymisation and encryption of personal data.

So in short, whilst we can’t guarantee that a GDPR Flash Drive will make the client GDPR compliant, we can say that their sensitive data, when stored on our GDPR Flash Drive, will be encrypted and therefore if stolen or left on a bus will not represent a serious personal data breach that could easily bring a company to its knees.

If you have Schools, Colleges, Government Departments, Councils, Hospitals on your client list then I’m confident that GDPR “compliant’ Flash Drives will be of great interest and value to their organisations in the coming weeks and months. 

If you have any queries or would like a FREE quote you can contact us here.