The GDPR (General Data Protection Regulation) has for some, fundamentally changed the way that businesses operate, with regard to the collection, processing and transferring of personal data. What is often referred to as the world's most forward-thinking data protection regulation has forced data controllers to ensure basic levels of security are in-place in order to reduce the risk of loss, disclosure, unauthorised processing, deletion or manipulation.
One such example is the humble file transfer. Whether it be an automated process between two systems or companies; or an email attachment containing personal data, data controllers will need to risk access these processing activities and assess the likelihood and impact of a breach. Where either is deemed to be high, data controllers will need to implement some form of control to reduce it.
Take a look at our definitive guide to Securely Sharing Documents and Files in a Privacy Oriented World.
File Transfer and the GDPR
Focussing on the topic of file transfer, there are countless examples of processes within even the smallest organisations whereby personal or sensitive data is being moved and distributed. It's not usual that some business models are reliant on the ability to continue to do this. Think insurance companies, healthcare providers and financial organisations.
So, how can companies who are heavily reliant on being able to send personal and sensitive data to data subjects, partner businesses and other third-parties continue to operate in a manner which is considered low-risk and in the spirit of the GDPR?
Consider these five features of MFT (Managed File Transfer) solutions, which could help.
- Managed file transfer solutions typically offer encryption for any files which reside on the solution; the use of encrypted transmission protocols such as HTTPS and file integrity checks. A combination of all three protect documents and files which contain personal data against unauthorised access, modification and disclosure.
- Strong access controls leveraging internal user databases and strong passwords, in combination with multi-factor authentication. This reduces the risk of unauthorised access and guarantees that the recipient of the personal data is indeed the intended recipient.
- Tamper-evident logging and auditing, whereby every interaction with the managed file transfer solution and every file or document transferred is logged in a format which cannot be modified or removed without the administrator being alerted. This makes audit information indisputable.
- Integration with existing security solutions to further enforce existing security policies and remain consistent. For example, integrating for an anti-virus scanner to detect instances of malware; or utlising an existing DLP (Data Leakage Prevention) solution to look for instances of inappropriate or sensitive data being shared, which should not.
- Analytics and reporting to give a current and historical overview of all document and file transfer activities. Logging and reporting information is not just available in the native reporting console but can also be exported out to business intelligence tools or centralised logging solutions where further analysis and reporting can be sought.
Would you like to learn more about managed file transfer and the best practices for its usage? Try our free Managed File Transfer for Dummies eBook.
The Myth of the GDPR Compliant Solution
Despite what you may have been told or seen from other solution vendors and providers, the GDPR does not have a certification or warrant the existence of a solution which can offer full-proof compliance. The GDPR is not a tick-box compliance standard, like the PCI and therefore it is difficult to offer anything in the way of a solution which can provide a level of assured compliance.
Instead the GDPR is risk based. The expectation is that where an action of personal data collection or processing occurs, the data controller and processor should take reasonable steps to risk assess that activity. Should that activity represent a heightened level of risk of breach, then mitigating steps should be taken to reduce that risk.
In the case of file transfer, the transfer of files containing personal data is not forbidden by the GDPR, nor is it difficult. However a solution with strong security controls should be implemented to lower the risk of data breach. With a managed file transfer solution which has the features list above, you will be in a good place to reduce your risk to an acceptable level.