GPDR Compliance I.T. Support

Hello, I have just recently taken over IT Support for a couple of small education schools. GPDR is kicking in very soon and I just wonder how this affects the I.T. in terms of encryption i.e. Office 365 emails or emails in general, USB sticks, logging into PCs, ipads, antivirus, backups etc, etc

Does the GPDR state that EVERYTHING has to be encrypted i.e. PC\laptop hard drives or just confidential data onsite and data that is going offsite, do all USB sticks need to be encrypted ? Data on the server does this need to be encrypted i.e. word and excel files, what is the rule regarding these areas please ? It's a minefield.

Any help would be most grateful,

Thanks guys.
LVL 1
discoveranotherAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
Don't mistake GDPR for being an IT only issue, it extends to all forms of storage,  like paper records, archives, backups ....
Starting now is getting a bit late to the party. The Regulation is 5+ years in the making and accepted in parliament 2 years ago,
and the last ratification by EU members was done 1 year ago according the the schedule that started 2 years ago.
25th of may is the date of effect.
The fines can be hefty...  between  the higher one of  EUR 10M , or the  2% of the anual  worlwide turnover of last year.
So a minefield possibly...
The problem really is the sloppiness around personal data handling and the misuse that is made based on misunderstandings is the cause of this GDPR. At least there is one regulation for the EU as a whole, not 27 different ones.

GDPR is about all data that contains materials through which a person can be identified and data that can be attributed to that.
So a firstname as such not, but adding a Family name does make it identifiable. In the case of a eduication
the firstname + classroom + year surely also fits the bill.
For email some data will need to be PGP encrypted, as for office 365 S/MIME doesn;t cut it. (mail contents is plain text reable data unless PGP or S/MIME with sufficient large keys are used.
So this includes phone numbers, macaddresses of phones, laptops etc. Ipaddress + timestamps together, ...

It doesn't state that it needs to be encrypted it states that it needs to be protected... you decide on the method.
A plain USB stick won't be good, it needs more then just using a good encryption, also procedures around handling the data, as well as lists who can access & modify the data and when data is updated and by whom will mostly cover it (probably, IANAL).
If you store stuff with 3rd parties (like office 365)  you need a contract that states responsibilities / rights on both sides.
Also you need an agreement with the "customers" about the data they provided to you and how you processes that, for what purpose and who has access, it should also cover what happens to data when contracts end etc. etc.

So Office365 means a DC has access, Microsoft has Access, (and other 3rd parties involved? like resellers)...  

On purpose of data if you ask for a mailaddress to send absent notices then you may not use that address for other purposes like mailings, you need to known why you want some data.
If you have no use for some data items, now is the time to strip them. if it doesn't matter to you if F/M is removed because it isn;t used then drop it.
A generic: "all data you provide will be process according to our daily changing vision" like it was until now needs some amandments.

Oh the whole responsibility  is  with the organisation that gives the orders to 3rd parties (ie. a school in this case)  to arrange everything.   From the End user agreements that  you have with parents/pupils that give a description  of  the contract parties involved onto  contracts with other parties involved.
0
 
discoveranotherAuthor Commented:
.....For email some data will need to be PGP encrypted, as for office 365 S/MIME doesn;t cut it. (mail contents is plain text reable data unless PGP or S/MIME with sufficient large keys are used.
So this includes phone numbers, macaddresses of phones, laptops etc. Ipaddress + timestamps together, ... .......It doesn't state that it needs to be encrypted it states that it needs to be protected... you decide on the method.
A plain USB stick won't be good, it needs more then just using a good encryption

Thank you a very informative and well written article.

So Microsoft don't include a way of encrypting office 365 emails as example ? I was sure I read that they were putting this in place but maybe not. So PGP allows emails going out to be encrypted ? Is this an application that is installed on a users PC for example or on a email server ? Sorry to ask, just need to know.

Also, I assume with USB sticks that you mean using more than a good encryption is being sensible about data and how it is stored and transmitted ?

Thank you
0
 
nociSoftware EngineerCommented:
Think about it: Public Key Encryption requires a two keys a private one and a public one the private one should be in your head (or wallet).
The public key can be spread far & wide.  Oh btw you will also need parents/pupils to start mailing with PGP.
But the private key cannot be on a public place like a web based mail system. Giving the Private key to a mail server defeats the precise thing a private key provides confidentiality.  
So no GMAIL,  Office365, Roundcube, Facebook .... all web based providers  can never provide this without you giving up your (and your mail parties)  confidentiality.
PGP is a tool with which you have an infra structure for exchanging public keys,  and keeping private keys on you own system.
It will encrypt files and those files ca be sent as attachment (or content in an e-mail. Mind that you don't divulge data in subject etc.
Lookup GNUPG, it is the best release atm.. It is an application on the enduser system.

USB sticks are basically "data at rest".  The only effective way for that is encryption, like it is for laptop's (whole disk encryption, not only certain files).
For servers this might be moot, unless they are stolen of turn off then the data on disks is also data at rest.
When an OS is running the OS should protect the data. Generic windows makes every user ADMIN so there is not real security.
You will need a domain setup, with proper access management. (You will need to identify users of your systems anyway as you need to log who access information.

For encryption you need keys, same for decryption..., for proper use you need procedures and ways to have some secure storage of those.
and maybe you need keys for "teacher-form1-2017"  "teacher-form1-2018" and renew those yearly...and keep a secure record of those in an off-line  safe.
0
 
discoveranotherAuthor Commented:
All great advice
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.