[Reading time: 2 minutes]
In the early months of 2008, Bank of Ireland found itself in hot water following the theft of a grand total of 4 laptops.
It was (quite rightly) a PR disaster for the organisation. I remember hearing many reports on the radio about how shameful it was that the theft of a small number of devices could result in the personal data of over 30,000 customers being put at risk.
The organisation engaged external consultants to investigate the scope of the breach, and I am sure they also had plenty of conversations with the Irish data protection regulator.
And then…
About 12 months later, the company reported a similar situation. Once again, more laptops had been lost or stolen.
The result this time around?
Radio silence.
No one cared.
Why?
Because this time around, the organisation was able to state categorically (with supporting evidence) that every laptop had been protected with disk encryption.
So what?
If a laptop is protected with disk encryption**, the data on the laptop could be regarded as ‘appropriately secured’.
Putting it another way…
From a data protection and GDPR perspective, the lack of disk encryption on a laptop makes it difficult / impossible for an organisation to prove that it has appropriate security measures in place to protect personal data.
GDPR may not clearly define a list of ‘appropriate security measures’.
But it’s clear that it includes encryption.
Don’t believe me?
Have you read Article 32 of GDPR lately?
“[The organisation] shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including [..] the pseudonymisation and encryption of personal data.”
(PS You get a special prize if you can pronounce ‘pseudonymisation‘ on your first attempt!)
So what should you do?
- Review my recent recommendations on how to ensure disk encryption is enabled on your devices.
- Regularly check (i.e. seek evidence) that it remains enabled, especially on new devices. At least one organisation has got itself into trouble with its data protection regulator after discovering encryption had been incorrectly deactivated on 1,500 laptops.
- If the team responsible for managing the security of your devices has failed to implement this security measure before you asked about it, or fails to maintain this security measure into the future, I recommend you clarify their role and responsibilities. If that does not work out, I recommend you find another team that’s up to the job.
** Assuming the user’s login password is not written on a post-it note attached to the laptop!