It’s been months since the EU’s landmark data protection regulation, the General Data Protection Regulation (GDPR) went into full effect. This means that companies around the world now have to be more careful about the way they handle personal data collected about residents of the EU to ensure the safety and privacy of this information. If they don’t, they could be subject to massive fines and penalties—as several companies have already found out.
But not all companies have caught up to the legislation. In fact, consent banners have increased by a mere 16 percent since the implementation of the GDPR, meanwhile, the amount of third-party cookies per webpage has dropped 22 percent, according to a survey of news sites in seven EU countries.
Those are big numbers, but not as big as the onslaught of “We’ve Updated Our Terms” emails on May 26th may have led you to believe. So what does this mean?
It means that many companies are very behind on GDPR compliance, and it also means this the perfect time to continue our delayed-but-not-forgotten series, Breaking Down the GDPR’s Data Protection Principles.
In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.
In the first post of the series, we covered the basics of the GDPR—what it is, what it’s about, and who it affects—as well as the first principle of data protection: the right to fair, lawful, and transparent processing of data. In the second post, we covered—you guessed it—principles two and three: Purpose Limitation and Data Minimization. In our third post, we covered principles four and five: accuracy and storage limitation.
Now let’s pick it up where we left off, with principle six: integrity and confidentiality, and seven: accountability.
Principle Six: Integrity and Confidentiality
Principle six of the GDPR is one of the most important of the seven tenets that the legislation upholds, and for good reason—it’s all about security.
Principle six states that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Let’s translate that from legalese to plain English: organizations must treat personally identifiable information (PII) in a manner that is secure from theft, destruction, or accidental loss. The call for the use of “appropriate technical or organizational measures” is a little fuzzy, and it’s likely that the GDPR’s author were purposefully vague in mandating security steps, as these are technologies and best practices that are in a constant state of change.
To me, it sounds like they’re asking you to use well establish security best practices, things like encrypting data in transit and at rest, using two-factor authentication, and using tamper-evident logging to track who accesses data, when, and how. To organizations used to keeping PII in unsecured S3 buckets, that may sound like a lot, but it’s really not much effort to enact these changes, and I recommend doing so regardless of whether or not you need to be in compliance with the GDPR.
Principle Seven: Accountability
While principle six is the only one that explicitly focuses on security, our final principle focuses on what everyone really cares about: consequences.
Principle seven states, succinctly, that “the controller shall be responsible for, and able to demonstrate compliance with [the previous principles].”
If you fail to demonstrate compliance with the previous six principles, the consequences can be dire— Up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher. And compliance is mandatory for any organization that collects, stores or processes the personal data of EU residents. It doesn't matter where your company is headquartered. Even companies that do not have a physical presence in the EU must comply with the GDPR.
But what does compliance look like? How are you supposed to demonstrate compliance? The GDPR doesn’t outline how businesses will demonstrate compliance, because that will differ greatly depending on the type of business you do, the data you handle, and the size of your organization. But you can bet that you’d better be ready for an audit, regardless of size. Typical best practices, such as logging of security incidents and access to PII, and internal auditing are recommended.
What’s more, it may be advisable to get a risk assessment of our business, which will help you identify any weak points, and evaluate whether or not you need to improve or implement specific security controls.
How Managed File Transfer Will Help Your Business Comply
As noted above, if your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you. With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR.
There are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant.
- Automatic File Integrity Checking validates that a file has not been altered, thus ensuring there are no costly mistakes that result in inaccurate data, and that data has not been inappropriately accessed.
- Encryption of data in transfer and at rest. MOVEit utilizes both transport and storage encryption, with either SSL or SSH used to encrypt files in transport, and FIPS 140-2 validated 256-bit AES for files on disk. These steps will keep your—files, and the PII that you handle—secure, even in the event of a breach.
- Detailed, Tamper-Evident Logging of file transfer activity will let you know exactly who accessed data as well as when, where, and how they did. That way, if tampering does occur, you’ll be on top of it.
- Built-In Data Nonrepudiation will also let you prove who uploaded a specific file, who downloaded it, and that the file uploaded and the file downloaded are identical, giving you the capability to authenticate each user that visits a file, and provide a reliable log of that access.
Want to know more? Check out these resources to learn more about GDPR and its implications:
And check out this video for a quick overview of the Seven Principles of Data Protection: