Under the new data portability clause of the GDPR, data controllers are required to provide individuals who have made a data subject access request with a complete record of the personal data they hold on them within 30 days and in a suitable electronic format.
And that’s likely not the only time you’ll need to move personal data around: plenty of daily business revolves around marshalling customer and user information from place to place.
However, when transferring personal data via email, USB or CD, for example, it’s no longer protected by your usual security such as firewalls. To make it more difficult for cyber criminals to access personal data in transit, the GDPR advises data controllers to consider pseudonymisation and encryption.
Protecting data transfer with pseudonymisation
Creating a pseudonym for personal data effectively replaces the identifying information with an artificial identifier, or mask. While pseudonymisation can go some way to protecting data, it has its limits as it allows anyone with access to the data to view part of the data set. It may make data useless to a thief (and even that is not guaranteed), but it doesn’t obscure it.
How encryption protects during data transfer
Encryption, while it also obscures data by replacing the identifiers, more effectively allows only approved users to access the data set. According to Gemalto’s Breach Level Index, only four percent of data breaches since 2013 have involved encrypted data.
Keeping all personal data secure in transit
If you’re sending any personal data it must be legally compliant in transit or you risk a data breach and ICO enforcement action.
For example, North Somerset Council sent five emails, two of which contained details of a child’s serious case review, to the wrong NHS employee. The data wasn’t encrypted so the wrongful recipient had full view to the child’s personal data. This led to a £60,000 fine from the Information Commissioner’s Office (ICO). They also found that the council had failed to give staff the appropriate data protection training, and recommended they adopt a more secure means of sending information electronically such as using encryption.
Make sure your organisation has a policy governing encrypted email so that staff clearly understand when they should or shouldn’t use it. For example, include a guideline stating that any email containing sensitive – now called “special category” - personal data is sent using encryption. You can include this in your cyber security policy.
Me Learning has developed a portfolio of flexible, online GDPR training courses to help organisations with GDPR compliance. For more information click here.