Encrypting portable devices for data security and GDPR compliance
The purpose of this article is to examine the risk of sensitive data being compromised in the event of the loss or theft of a portable device, using encryption to mitigate those risks, assisting with the technical aspects of implementing encryption in portable devices in order that company policies can better comply with the GDPR.
1.1 What is encryption?
Encryption is a means of scrambling data on a device in such a way that makes it unreadable to anyone without a decryption password.
For example, the contents of a Document may be:
“An individual’s extensive online identity, including bank details, dating profiles, shopping accounts and passport information, can be bought for only £820 on the dark web.” – The Times 28/02/18
An encrypted version of these contents may look like:
Content is thus unreadable without the decryption password and decryption key. Modern encryption systems can ensure that revealing the content of encrypted data would take billions of computer hours, and is thus safe for a some period going forward.
1.2 Why is encryption required?
When a device such as a laptop or mobile phone is frequently moved between sites (eg. office to office, home to office) we recommend that it is encrypted, so that if a malicious third party intercepts the device as a result of loss or theft, the data on the device remains inaccessible.
Whilst most of your crucial data will be stored on your server, which is physically secured, laptops and mobile phones can still contain downloaded emails, saved passwords, VPN connection details, and other types of sensitive data that could allow third parties access to your client information, or even your server directly. Because these devices are being moved frequently, the risk of having them stolen from a car, or being accidentally left on on train, is much higher than it would be for a server, or static desktop.
In some cases, encryption may also be desirable for home devices that are shared with friends and relatives, or office devices shared between colleagues. In this case third-party access to the data may not be malicious, but due care and attention is still required.
1.3 My laptop has a password, or my phone has a lock screen. Isn’t it already protected?
Setting a password, PIN or lock screen pattern does not automatically mean a device is encrypted. With only minimal technical expertise, Windows passwords can be cracked. Hard drives can also be physically removed and the data can be accessed from another computer. Likewise, accessing data on an unencrypted, locked phone is a fairly simple process; all that’s really needed is a USB cable.
When a laptop or phone is encrypted, all of its data is unreadable without that master password.
1.4 What does the GDPR say about encryption?
Principle #7 of the GDPR states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
“Unlawful processing” of personal data often occurs after the theft or loss of portable devices such as company laptops and USB sticks. There is a thriving criminal industry around data recovery off lost or stolen devices, providing opportunities for data and identity theft. A lost laptop or phone is likely to be harvested for data before it is wiped and resold on the black market.
In the event of personal data loss, a data processor can be required under the GDPR to notify the ICO, the Charities Commission and the subject who’s data may have been lost. An embarrassing and fraught process, particularly so if you are not 100 percent sure precisely which data may have been on that lost device.
The GDPR does not state that encryption of any type of data is essential for GDPR compliance. However it does include it as a recommendation in certain circumstances.Two sections of the GDPR are included here for reference and the key sections regarding encryption are highlighted in bold:
Recital 83 specifically suggests encryption as a means of GDPR compliance. The second section highlighted in bold below refers to “security risk”, which would be considered higher for portable devices like phones and laptops.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage
Article 34 deals with your responsibilities should your clients’ data be breached and your obligations in disclosing that breach to the client. If an encryption policy is in place, you should not be required to disclose the data breach, as you would have “implemented appropriate technical and organisational protection measures” to ensure protection of the data.
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</p>
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
1.5 How do I encrypt my devices?
Mobile phones, laptops and portable USB media can all be encrypted to ensure data security. There are varying types of encryption, and the recommended means of encryption varies between device and platform. The rest of this document deals with types of encryption available for varying devices, and our recommendations.
It is strongly recommended that you adopt a policy of encrypting laptops within your organisation, as the risk of loss or theft is relatively high. Methods of encryption are for laptops are:
- Windows laptops: encryption with Bitlocker recommended
- Apple laptops: encryption with Filevault recommended
- Linux laptops: encryption methods vary according to distribution
2.2 Windows laptops
Windows Professional and Enterprise editions contain a built-in encryption tool called Bitlocker which is available with all (not Windows Home). It is strongly recommended that this is setup for all laptops in use by your organisation.
Bitlocker, once configured, is very straightforward to use, and simply requires the end-user to enter a decryption password or PIN to use the device.
It is generally recommended when first setting up Bitlocker to backup any existing data and completely reinstall Windows on the laptop, as this removes any bloated programs that are shipped by the manufacturer, and leaves a much cleaner, faster Windows install. This procedure is essential if the laptop ships with Windows Home Edition, as the Home Edition does not include Bitlocker.
We offer an encryption service for Windows laptops which includes a complete reinstall of the Windows operating system, and removal of all junkware and bloatware. Please see Our Services for details.
2.3 Apple laptops
Apple operating systems since OS X 10.7 (Lion) have contained a built-in encryption tool called FileVault 2. If you are running this version of OS X or later, Apple have created a good quality how-to explaining how to encrypt your device which is included in section 5.
Whilst encryption tools are available for users running earlier versions of OS X, there are significant limitations to these and they are not recommended. If you are running an earlier version of OS X and you are concerned about the data security on this device we recommend upgrading to a later model.
2.4 Linux laptops
Most common Linux distros (eg. Ubuntu, Linux Mint) contain a method of encryption at installation time. It is less straightforward to encrypt a Linux installation after the fact and is generally not recommended. However, distros and encryption methods vary widely, so please contact us to discuss your specific requirements if you are using Linux.
3 Mobile phones and tablets
Mobile phones and tablets should generally be encrypted, especially where mobile devices are used for work emails. However for peace of mind it is strongly recommended to encrypt all phones and tablets, unless they are always kept on the same locked premises at all times.
In the descriptions below I refer to encrypting “phones” only, as these will be the devices that most commonly contain sensitive data, and are generally carried on and off site with regularity. However the information applies the same to tablets or phablets that run Android or any iOS operating system.
If you have a phone, tablet, phablet or other portable device that does not meet any of our descriptions here, please let us know so we can give you a risk assessment.
For hybrid devices, such as the Microsoft Surface range, please see the advice given under laptops. The are devices which can be used as both laptops and tablets, and often have detachable keyboards.
If you are using an iPhone 4S or later, then your device is encrypted by default. However you still need to take some steps to ensure your data is secure.
- Make sure you have a strong PIN in place to unlock the phone. Without it your phone will technically be encrypted, but you will have no real protection.
- Make sure you are running iOS 8 or later, as this is the operating system for which encryption was introduced.
- Note that iPhones prior to the 4S did not support any meaningful form of encryption, you should upgrade these handsets if security is a concern.
- Similarly, the first generation iPad does not support iOS 8, and therefore also does not support encryption. The iPad 2 and onwards is fine as long as it runs iOS 8 or later and is protected with a PIN.
3.3 Android devices
Whilst all Apple devices that support iOS 8 and above are automatically encrypted out of the box, the situation for Android devices is slightly more complicated due to the large number of manufacturers who use the Android operating system, and the variations in the underlying hardware.
Google has required encryption to be enabled out of the box for all new devices that shipped with Android version 6 or higher, regardless of manufacturer. However, this does not mean your phone or tablet is necessarily encrypted if it is running Android version 6. Devices that originally shipped with Android version 5 or lower, and were later upgraded to version 6 do not have encryption enabled by default. In some cases, the same phone model may have encryption enabled or disabled out of the box, depending on when it was manufactured.
Most Android devices are straightforward to encrypt manually if required, and a how-to is provided in section 5.
3.4 Windows Phone
Encryption is available for Windows 10 mobiles. This uses the same technology as Bitlocker on Windows laptops and is a strong form of encryption. However, information on performance and reliability of Windows phone encryption is not as extensive as that for Android and Apple devices. Eg. older Windows 8 phones appear to report encryption support, but Microsoft’s own documentation does not support this. There have also been reports of email syncing issues when using an encrypted Windows phone. If this is of particular concern we recommend switching to an Android or Apple device.
However, the process of encrypting a Windows phone is straightforward for a non-technical end-user, and a link to a how-to is provided in section 5.
4. Portable media
Portable media in the form of USB flash drives present a distinctive security challenge. Our experience shows that they are frequently used to transfer data between computers, and very often the files that are copied are never deleted from the device. Furthermore, being so small USB sticks are very easily mislaid. Unlike with a phone or a laptop, the loss of a USB stick containing sensitive data may not be noticed by the person using it for weeks or months.
4.2 USB removable disks
USB removable disks refer to USB flash drives, USB hard disks, USB SSDs, or any kind of writeable USB device.
4.2.1 USB hardware encryption
The most user-friendly way to ensure the security of these devices is to purchase a USB disk or USB key with a hardware decryption feature. This usually comes in the form of physical buttons you have to press to enter a PIN which will decrypt a USB device before it can be used in a computer. These cost more than standard USB devices but are very user-friendly, and can be used with any platform (Windows, Apple or Linux). Searching for “encrypted USB” or similar on Amazon will return a huge number of types of these devices. We do not recommend any specific model but do recommend you go with a reputable brand.
4.2.2 USB Bitlocker encryption
A second user-friendly option is to encrypt your USB disk using Bitlocker. This may be a more practical option if you need to use a 1TB or 2TB encrypted hard disk. The cost of a larger USB disk that supports hardware (PIN) encryption is very high – over £200 for a 1TB disk. If you want to use Bitlocker we recommend you send the disks to us for encryption, as the initial setup should be done by an engineer. Afterwards the disk can easily be decrypted by an end-user with the correct password. However, the disks will only be usable in PCs running Windows Professional Edition or higher, this includes:
Windows 7 Professional, Windows 7 Enterprise and Windows 7 Ultimate
Windows 8.1 Professional and Windows 8.1 Enterprise
Windows 10 Professional and Windows 10 Enterprise
You can check which edition of Windows you are running by going to the Windows menu and typing “winver” (no quote marks) and then pressing enter.
4.3 SD cards, optical media, and others
In the vast majority of cases, when not moving data across a network, data will be moved between computers on a USB device of some kind, as has become the norm. In a few exceptional cases, other forms of portable media may still be in use for moving data between PCs which could pose a GDPR compliance risk if not encrypted. Some examples are given below:
- SD cards: small, portable flash media. They are generally used in digital cameras or as expansion storage for mobile devices (see section on mobiles).
- Optical media such as CDs, DVDs and Blu-rays
- Floppy disks
- Tape drives
In all of the above cases we would recommend cessation of the use of these types of media for sensitive data transfer, as encryption is either impossible or highly impractical for these types of media.
If your organisation has a need to transfer sensitive data using one of the above, or some other type of media not mentioned in this article, please contact us. We will be able to suggest an alternative solution in many cases.
5. Encryption how-tos
Some devices (eg. Android phones, iPhones, Macbooks) can be straightforwardly encrypted by end-users. We have included how-to instructions for these devices in this section.
Please note: encrypting the devices listed here is generally a very straightforward process, and will not require technical expertise. However, it is not completely risk-free and precautions should be taken. Please read these instructions carefully, Comm-Tech cannot accept any responsibility for loss of data. We do provide a safe and efficient Encryption service for devices, please contact us for more information.
5.1 Android phones and tablets
To check whether your Android phone is encrypted:
- Go to Settings / Security / Encryption
- If your device is not encrypted, you will see an option here that says “Encrypt phone” or similar. If so then skip to the how-to below.
- If you do not see an option in this menu to encrypt the device, it either means your phone is already encrypted, or does not support encryption. If this applies, follow these steps:
- Go to Settings / About Device (this option might also be called About Phone, or similar).
- Check for the Android version, which will give some more information.
- If your phone runs Version 6 or higher then it may be encrypted out of the box. Double check there is no “Encrypt phone” option in Settings / Security / Encryption. If there is no option listed then the phone is probably encrypted already. However you should use Google to check whether your model is encrypted out of the box or not. Be especially cautious with Android Version 6, as most phones running this version will not have encryption setup by default. If you are sure the phone is encrypted, then make sure you set a strong PIN, and you are good to go.
- If your device runs Version 5 then the device should support encryption, but will not be encrypted unless it has been done manually by you or someone in your organisation.
- If your device runs Version 4 it might support encryption. Double check there is no “Encrypt phone” option in Settings / Security / Encryption. You will need to Google your device model to see if it supports encryption or not.
- If it is Version 3 or lower it will not support encryption.
- If you are running a device with Android Version 3 or lower (or Version 4 with no encryption option) and you use the phone for sensitive data, such as work emails, we recommend upgrading to a new device.
5.1.1 How to manually encrypt an Android phone
If your phone is not encrypted, but gives an “Encrypt Phone” option or similar in settings, read on before you go ahead, or you may lose your data or even worse “brick” the phone.
Risks to be aware of:
- Encryption means your phone’s CPU will have some extra work to do, and some users have reported significant degradation when encrypting older models. If your phone is already sluggish or you are otherwise concerned about this you might want to consider upgrading your phone instead.
- If the phone loses power halfway through the encryption process it may completely break the phone and render all data on it unreadable. Most commonly this will happen when the phone is not plugged in and runs out of battery power, but in very rare cases an underlying hardware problem (eg. overheating) may cause the phone to reboot in the middle of the process. If your phone regularly powers off or reboots of its own accord, or has other significant issues you should not attempt this process.
- After encryption, booting up will take a lot longer, at least twice as long as what it takes your phone to start up without encryption. Even on higher end devices, starting up an encrypted phone can take around 5 minutes.
- If you have rooted your phone, you must unroot it before continuing.
- If your phone supports an external SD card for expanded storage and it is plugged in, you may need to take an addition step (see below).
To encrypt the phone:
- Make sure all data on the phone is fully backed up before proceeding. Emails are nearly always backed up to a server unless using POP (very rare nowadays), but things like photos, text messages, phone logs, etc. may need to be backed up manually.
- Connect your phone to a reliable charger and keep connected for the entire encryption process, which usually takes about 1 hour.
- Go to Settings / Security, and find the lock-screen options. You should set up a strong lock screen password, PIN, or pattern, and also require this to be entered when the phone first boots up. Note that even with a fingerprint reader, you can’t use a fingerprint to unlock a device on first boot, you’ll have to put in the password, PIN, or pattern. After the device has been decrypted with the correct security unlocking method, the fingerprint reader can be used to unlock the screen moving forward.
- Go to Settings / Security / Encryption
- Choose the option that says “Encrypt phone” or “Encrypt device” or similar.
- You will usually be presented with two warnings which let you know about the encryption process and what to expect afterwards. Read these carefully and proceed when ready.
- After clicking through all the screens the phone will begin the encryption process, do not interrupt this or attempt to use the phone in any way until it prompts you further.
- All being well, the phone should reboot and prompt for your PIN (or other unlock option) when complete.
5.1.2 How to manually encrypt an external SD card on an Android
Many Android devices support the use of an external SD card to expand their storage capacity. By “external” here we do not literally mean outside of the phone, but simply separate from the phone’s main storage.
External SD cards can be encrypted along with the main file system for extra security. Depending on how your device is configured, this is something you may want to consider. For example, if you store your work emails on the external SD card to save space on your main device, the external SD card should be encrypted.
There is usually an option in Android Security settings to encrypt an external SD card in much the same way you encrypt the main file system as above. Please take the same precautions with backing up data and plugging in the phone etc, then choose the option called “Encrypt external SD card”, or similar.
Alternatively, if you choose to format your external SD card as Internal Storage when first putting it into the phone, Android will encrypt the card by default.
Some things to bear in mind when encrypting the external SD card:
- Once encrypted, the SD card can only be read from within your phone. You cannot remove it and connect it to a laptop, PC or other device, as only the phone contains the decryption key.
- External SD card encryption is not always reliable when the SD card is already in use, you may need to backup any data on the card, format it using the Storage part of the Settings menu, and then setup SD encryption before any data is transferred on to it
5.2 Apple Macs and Macbooks
Apple have provided a good-quality how-to for encrypting these devices which should be possible to follow for most end-users, it can be viewed here:
5.3 Windows phones
A good encryption how-to for Windows phones can be found here. Please read the caveats carefully before proceeding.
AUTHOR: Mark Anthony @ COMM-TECH