General Data Protection Regulation (GDPR)
and Managed File Transfer
The EU Data Protection Ordinance or EU General Data Protection Regulation (GDPR) leads to a far-reaching harmonization of the European data protection law for personal data. The amendments are required by law as of May 25, 2018.
Any company doing business with individuals located in the EU needs to obey GDPR.
The GDPR’s definition of ‘personal data’, the so called Personally Identifiable Information (PII), is very generic: For instance names, birthdays, photos, addresses, and even social media posts fall under GDPR.
GDPR also gives the respective individuals the right to know what and why PII is being collected, and how it’s being used. And they can demand from data controllers the transfer, surrender or deletion of their PII.
Consequently secure data exchange will become critical when personal data is involved. By law this requires:
- Encryption and anonymization of the personal data
- Securing data confidentiality and with integrity
- Availability of systems and services to be able to access data if needed
- Recovery of personal data in a secure way after a failure
Unprepared for GDPR?
Personal data can be exchanged in a number of ways, i.e. system-to-system (upload of batch files, scheduled FTP transfers etc.), system-to-human (planned reports, ad-hoc enquiries etc.) and human-to-human (e-mails, flash drives etc.).
Companies with an uncoordinated and decentralized data exchange especially run the risk of committing data breaches as of May 25th, 2018. Whether intentional or accidental, data leakage from key business applications continues to be a threat for many companies. Leakage can result in data breaches that violate rules, including: internal compliance mandates, partner or customer service level agreements (SLAs), and privacy or data protection laws like GDPR.
Not meeting GDPR requirements represents an existential risk for companies. Violations can cost your company in fines, time and money (potentially €10-20 million and up to 2-4% of worldwide group turnover). The penalties for inadequate protection of personal data also have an impact on those who are directly responsible, e.g. Managing Directors, board members, Data Controllers, CISO etc.
GDPR requires risk management
Data Protection Impact Assessments for technologies which have a high risk of processing personal data, need attention in the following areas:
- Application design
The design of the application already focuses on data protection with the principles of ‘data protection by technology design’ and ‘data protection by default’.
- Secure exchange of data
Encryption and anonymization of data, ensuring the confidentiality, integrity and availability of systems as well as services and recovery after a physical or technical incident is required.
- Option to Delete any personal data of an individual
Individuals have the right to request that companies delete any Personally Identifiable Information (PII) relating to them, just by withdrawing their consent. In one-off cases this request might be difficult to fulfill, but is still achievable. However in large organizations or if many requests come in at the same time it can become too difficult without prior preparation. This can lead to the requirement of a consent management hub to track the whereabouts of PII. However, a prerequisite for such a hub is integration so that systems holding and/or transferring PII have interfaces to interact with the hub.
- Operation of secure cloud services
The majority of companies use cloud services from external service providers to some extent. The provider liability introduced by GDPR means that providers of cloud services can increasingly be held liable; however the correct choice of s service provider and the evaluation of the implemented measures to protect data remains a real challenge. Certifications and attestations by external auditors form a good basis for evaluation.
- Legal framework conditions
An exchange of data with the USA is only legitimate if corporate binding rules or contracts based on the EU standard contractual clauses have been concluded within an affiliated group of companies.
Companies must enter into order processing agreements or nondisclosure agreements (NDA) with their customers, IT service providers, consulting partners and data center providers. Generic order data processing contracts are no longer sufficient. Order processing agreements by GDPR must contain an order-specific part. This describes the order-specific technical and organizational data protection measures in detail.
For unstructured data there are still many FTP channels around while at the same time Internet file sharing services have become common. For both scenarios it can be difficult to have a reliable order processing contracts.
- Burden of proof
Due to the accountability following the GDPR, documentation becomes even more important so data protection track records need to become more detailed.
Proof of the effectiveness of the measures by means of internal audits, external certifications and attestations (e. g. ISO/IEC 27001 and ISAE 3402 (SOC 1) Type 2) are needed.
Currently there is no official GDPR certification process. Therefore ‘GDPR compliance’ as such cannot currently be recognizably achieved. However, consideration paid to the above technology areas will help prepare you for GDPR compliance as and when certification becomes available.
Data Protection for Files in Transit
Sharing files amongst people and systems is essential to today’s increasingly automated business operations. But when file sharing is not included in the design, execution and monitoring of core business processes, costly vulnerabilities are inevitable.
With a secure Managed File Transfer (MFT) solution, business-critical data of a company can arrive at the right time and in the right place. Besides PII this could also be financial data, price lists, contracts, payment information, intellectual property, inventory, orders or supply chain data etc. At the same time, the sender is able to track and prove receipt.
SEEBURGER BIS MFT is a solution that provides secure and monitored end-to-end management of all file transfers.
Besides being ready for GDPR other reasons for data protection exist in many industries:
- Retail: Exchange of large product imagery with suppliers and financial details with banks
- Consumer Goods: Brand teams collaborating with external parties on marketing material
- Media: transfer of digital video files and creative assets
- Manufacturing: Distributing marketing content to regionally located centers
- Engineering: Multi-party exchange of CAD files for virtual teams
- Financial Services: Payment processing and the exchange of payments for services and goods
SEEBURGER BIS MFT is a solution that can help businesses become GDPR ready. With an MFT solution in place, every file is governed by policies and it will help validate, check and securely move data of any size between internal applications, companies, partners, customers and employees. This also avoids hidden costs of ‘free’ file sharing by way of the business advantages realized by including file transfer in your business process management strategy.
Read more about the right strategy for your GDPR initiative and how SEEBURGER can help
Gain Insights on GDPR’s Requirements
The 2-year transition period for the introduction of the GDPR requirements ends on May 25th, 2018. An introduction to the scope of GDPR Regulation in the Blog of SEEBURGER’s CISO.
GDPR: Readiness Playbook. Beware, prepare or despair.
GDPR is making a lot of noise both domestically and globally. Recently major US technology companies, the FANG companies (Facebook, Amazon, Netflix and Google), have made a splash with the opening of new privacy centers along with attention to data privacy to help their companies comply with Europe’s GDPR regulation that will arrive in just three short months.
Understanding GDPR’s Security Implications
The exchange of personal data between companies is a common security weakness. Read more on the Blog Post of SEEBURGER’s Head of Global Services & Support.