File Transfer Best Practices for Complying with the 7 GDPR Principles

File Transfer Best Practices for Complying with the 7 GDPR Principles

Posted on June 01, 2018 0 Comments

CIOs, CISOs, data protection officers and compliance managers who work for businesses that interact with citizens in the European Union (EU) now need to be on-guard. The countdown for the General Data Protection Regulation (GDPR), which went into effect May 25, is over.

The regulation is one of the most stringent and costly data protection laws yet for any organization that fails to comply. With data volumes growing exponentially, and the constant need for data portability between on-premises and cloud environments, adhering to the GDPR directive presents a tricky challenge.

Learn how California's new privacy laws affect your business. Download our free  CCPA guide.

GDPR is predicated upon seven principles that seek to protect the rights and freedoms of individuals living in the EU. Citizens that live in the UK also fall under the protection of the GDRP, despite the pending Brexit initiative.

Leveraging the principles to comply with the GDPR regulation can save you a lot of money. If a data breach occurs, regulators will evaluate whether you incorporated appropriate technologies that could have prevented the attack. If not, the penalty for non-compliance can run as high as €20 million (roughly $26.6 million) or 4% of global annual turnover—whichever is higher.

European-based businesses are not the only ones who need to take notice. U.S. companies that do business with customers in Europe are also subject to GDPR penalties. This is not such a bad thing. Complying with GDPR can also generate benefits. In addition to helping you avoid fines, the seven principles offer solid guidelines for building a secure IT infrastructure to avoid data breaches and protect your digital assets. Given all the massive data breaches that occurred in 2017, that’s a worthwhile pay-off on its own.

Best Practices for GDPR Compliance Principles

The GDPR data processing protection principles are meant to assure that the rights of individuals are prioritized as businesses design, deploy and manage systems to collect and process personal data. File transfer systems, which fall under the definition of processing data, must provide the necessary functionality in order to enable compliance with GDPR. In this article, we take you through a rundown of the seven GDPR principles and the corresponding file transfer best-practice capabilities you will want to utilize.

Related: Defrag This - Top 7 GDPR Myths

Principle 1 - Fair, Lawful and Transparent Processing

Care must be used when designing and implementing personal information-processing activities. The required file transfer functionalities to address this principle include non-repudiation in order to validate personal and sensitive data are transferred only between authorized senders and receivers. Businesses must also apply centralized, fine-grained access control to safeguard user credentials, permissions and personal data.

Principle 2 - Purpose Limitation

Personal data collected for one purpose should not be used for another incompatible purpose. To comply with this principle, replace cryptic file transfer scripts with a forms-based system that provides a standardized, secure and documented record of data-transfer tasks.

Principle 3 - Data Minimization

Collection and processing should be limited to the personal data that’s needed to achieve the stated purpose. This can be accomplished through comprehensive analytics that provide the required insights into file transfer activities to assure on-going compliance with GDPR data protection principles.

Principle 4 – Accuracy

All reasonable steps must be taken to ensure personal data is accurate. The key process to apply here is automatic file-integrity checking when transferring files. This validates that files have not been altered.

Principle 5 - Retention Periods

Personal data should not be retained longer than needed for the stated purpose. Business should thus make sure their file transfer system allows for the scheduling of common repetitive pre-transfer and post-transfer tasks, including the scheduled deletion of personal data files.

Principle 6 - Data Security

Personal data must be secured against internal and external threats, accidental loss, destruction and damage. To satisfy the requirements of this principle, encrypt personal data in transit and at rest during file transfer processes. The file transfer system should also be integrated with data loss prevention and anti-virus systems.

Principle 7 – Accountability

Compliance with all the data protection principles listed above and below must be documented. GDPR requires businesses and organizations to address this principle through automatic collection and reporting on data transfer logs. The logs and reports should then be stored in one centralized consolidated location, and the audit logs must be tamper-evident in order to be trusted for accuracy.

Applying the best practices described above to comply with the seven principles of GDPR can also play a key role in intent-based networking initiatives. This approach makes it easier to apply security and compliance policies across disparate devices by abstracting networks, which is a form of network virtualization.

Below is an infographic that you can use for quick reference when it comes to these 7 principles.

Infographic-GDPR-7steps-EN-1

Streamlining Your GDPR Compliance Efforts

No doubt, it will be difficult to comply with GDPR requirements—it has 87 pages of detailed requirements and 99 articles of specifications. To streamline the process, the key is to focus on the requirements that require you to add or adjust your IT processes and systems. Some of the more important aspects of GDPR to consider are properly managing the authorized consent of collecting personal data from EU residents; building data protection into every processes and system that collects personal data; and minimizing as much as possible the amount of personal data collected and stored as well as the timeframes for keeping that data.  

For more information on how to comply with GDPR, check out this GDPR FAQ, Overview of GDPR Principles, and the GDPR 10-Step Action Plan. As these and other resources convey, for any organization conducting business with EU citizens, GDPR-readiness is essential.

And if you’re looking for a low-risk, cost-effective way to comply with GDPR and the seven data-protection principles, a managed data transfer solution such as Ipswitch MOVEit File Transfer will get the job done. MOVEit integrates secure data transfer with centralized workflows, access control, and audit logging. This approach results in fewer moving parts, which then translates into lower risk to personal data—and less time and money spent managing and supporting data-transfer processing activities.

Kevin Conklin

Kevin joined Ipswitch in 2015 and leads the company’s product and content marketing practices. He is widely recognized for his product marketing accomplishments in information technologies. He is a serial startup executive having played instrumental roles in the success of such companies as for Prelert, VKernel, Mazu Networks and Smarts, Inc. and has been instrumental to the success of these IT management technology companies. Kevin is also the co-host of the PICNIC Podcast live show (https://picnic-podcast.com/), sharing experiences and best practices, providing a voice of expertise, and educating IT professionals with the latest technology challenges.

Comments

Comments are disabled in preview mode.
Topics

Sitefinity Training and Certification Now Available.

Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.

Learn More
Latest Stories
in Your Inbox

Subscribe to get all the news, info and tutorials you need to build better business apps and sites

Loading animation