Under the terms of GDPR a business is obliged to keep data/information it holds on behalf of an individual safe and undestroyed. Everyone has become used to putting data on USB sticks and other removable storage then carrying them around in pockets/ bags. They are often taken home.
However USB sticks go missing. In a recent survey from Apricorn over 80% of employees said they had lost an USB stick and not told their employers. Under the new rules if a USB stick goes missing it should be reported to the ICO within 72 hours. Explanations will be required.
The question then is was the information encrypted and if not why not.
It is essential that all businesses think carefully about their procedures and how they use USB sticks, Can they safely be taken out of the building?
New protocols will be needed. Staff will need training. Businesses may decide just to put everything in the cloud and forget about USB sticks altogether as IBM has decided to do.
Important Points to take away:
- Care is needed where USB sticks come from. They are often given away at trade shows and not scanned for viruses when used. Businesses should provide any necessary removable storage devices to their employees and ban all others.
- All sensitive data on removable devices should be encrypted. If the device could be taken out of the premises then encryption should be considered whatever is on it.
- Removable devices should be protected by PINs and passwords.
- A policy covering the use of removable devices by employees should be put in place.
- Staff should be trained as to what is acceptable and what is not
- Removable storage devices should be tracked so that the business knows where they are
- Procedures should be put in place to ensure any losses are reported to the employer and the employer reports it to the ICO
A business can lose data through hacking. They should not just give it away on a little stick. Under the new rules more care is needed.