With GDPR approaching, many organisations have identified the external partners or third parties they share personal data with. Most organisations use email, cloud-based file sharing or FTP servers to share this data - but are these systems able to support compliance? We look at the effectiveness of different systems in the context of five key GDPR data protection principles.
It's easy for organisations to accumulate multiple data-sharing technologies, buying and adopting new systems as their needs evolve. Each tool is usually selected for a specific need, such as email for ad-hoc sharing, EFSS for collaboration, cloud-based file share for convenient transfer of large files and FTP for routine or scheduled transfer operations. But when these tools are used to transfer data that is protected by regulations, problems can arise. When end-users have a choice of data sharing tools their selection for any specific use-case may not comply with data protection regulations.
Since the GDPR has many articles that require data is protected in ways that these tools don't support, how can organisations and businesses ensure that their file transfers are compliant? We look at five principles that provide the best guidelines for the 'data processing' activities that are part of file transfer:
Principle 1 - Fair, Lawful and Transparent Processing: Additional care must be used when
designing and implementing personal information processing activities.
This principle requires that compliance is built into data processing workflows, including the transfer of personal data. Workflow design must consider data security, tracking, limitation of purpose and deletion when no longer needed. Clearly, using email or cloud-based file shares to transmit protected data will be problematic as they rarely have the built-in ability to delete files on a policy based schedule.
Principle 2 - Data Security: Personal data must be secured against internal and external threats, accidental loss, destruction and damage.
A combination of strong access controls and data encryption during upload, download and while the files are at rest will go a long way to satisfying this requirement. Non-repudiation (the ability to assure the file was delivered to the intended recipient) is also a key requirement.
Principle 4 - Accountability: Compliance with the Data Protection Principles must be documented.
Besides documented workflows, policies and a DPIA, your best bet at adherence to this principle is a centralised log of all file transfer activities. All workflows that share personal data should flow through one system with proper logging which ideally is also tamper-evident.
Principle 5 - Purpose Limitation: Personal data collected for one purpose should not be used for a new incompatible purpose.
For most organisations, this single requirement will cause significant changes to internal procedures, workflow designs and compliance management. Historically, data collected was the property of the collector to use for whatever purpose they felt necessary or convenient. Moving forward, data may not be reused for another purpose other than that specified in the ‘opt in’. When it comes to the transfer of personal data, ‘scheduled deletion’ should be a feature of the enabling system.
Principle 7 - Retention Periods: Personal data should not be retained longer than needed for a stated purpose.
Again, the best approach to compliance with the principle of data retention periods is to delete the data soon after transfer. This ‘scheduled deletion’ should be a feature of the file transfer system.
Reliance on commonly used mechanisms for file transfer may mean organisations are unable to comply with the GDPR. So what can you do to improve this? Managed File Transfer (MFT) systems provide the features mentioned in the above 5 principles. They also provide add-on options for email clients and drag-and-drop folder sharing that make it easy for end-users. This enables the implementation of clear policies that require the transfer of personal data (indeed any sensitive data) be conducted through Managed File Transfer.
For more information on the 7 Principles of GDPR and File Transfer, check out infographic on 'downloadable resources' for GDPR. For more information on Ipswitch's MOVEit Secure Managed File Transfer please get in contact with your Softcat account manager or send us a message using the button below.
We would love to hear any comments you have about this article!