<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Breaking Down the GDPR's Data Protection Principles, Part 4: Integrity, Confidentiality, and Accountability

Jeff Edwards| August 31 2018

| security, GDPR, Compliance

gdpr-data-principle-part-1

It’s been months since the EU’s landmark data protection regulation, the General Data Protection Regulation (GDPR) went into full effect. This means that companies around the world now have to be more careful about the way they handle personal data collected about residents of the EU to ensure the safety and privacy of this information. If they don’t, they could be subject to massive fines and penalties—as several companies have already found out.

But not all companies have caught up to the legislation. In fact, consent banners have increased by a mere 16 percent since the implementation of the GDPR, meanwhile, the amount of  third-party cookies per webpage has dropped 22 percent, according to a survey of news sites in seven EU countries.

Those are big numbers, but not as big as the onslaught of “We’ve Updated Our Terms” emails on May 26th may have led you to believe. So what does this mean?

It means that many companies are very behind on GDPR compliance, and it also means this the perfect time to continue our delayed-but-not-forgotten series, Breaking Down the GDPR’s Data Protection Principles.

Make sure you are compliant with the GDPR. Download this free guide.

In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.

In the first post of the series, we covered the basics of the GDPR—what it is, what it’s about, and who it affects—as well as the first principle of data protection: the right to fair, lawful, and transparent processing of data. In the second post, we covered—you guessed it—principles two and three: Purpose Limitation and Data Minimization. In our third post, we covered principles four and five: accuracy and storage limitation.

Now let’s pick it up where we left off, with principle six: integrity and confidentiality, and seven: accountability.

Principle Six: Integrity and Confidentiality

Principle six of the GDPR is one of the most important of the seven tenets that the legislation upholds, and for good reason—it’s all about security.

Principle six states that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Let’s translate that from legalese to plain English: organizations must treat personally identifiable information (PII) in a manner that is secure from theft, destruction, or accidental loss. The call for the use of “appropriate technical or organizational measures” is a little fuzzy, and it’s likely that the GDPR’s author were purposefully vague in mandating security steps, as these are technologies and best practices that are in a constant state of change.

To me, it sounds like they’re asking you to use well establish security best practices, things like encrypting data in transit and at rest, using two-factor authentication, and using tamper-evident logging to track who accesses data, when, and how. To organizations used to keeping PII in unsecured S3 buckets, that may sound like a lot, but it’s really not much effort to enact these changes, and I recommend doing so regardless of whether or not you need to be in compliance with the GDPR.

Principle Seven: Accountability

While principle six is the only one that explicitly focuses on security, our final principle focuses on what everyone really cares about: consequences.

Principle seven states, succinctly, that “the controller shall be responsible for, and able to demonstrate compliance with [the previous principles].”

If you fail to demonstrate compliance with the previous six principles, the consequences can be dire— Up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher. And compliance is mandatory for any organization that collects, stores or processes the personal data of EU residents.  It doesn't matter where your company is headquartered. Even companies that do not have a physical presence in the EU must comply with the GDPR. 

But what does compliance look like? How are you supposed to demonstrate compliance? The GDPR doesn’t outline how businesses will demonstrate compliance, because that will differ greatly depending on the type of business you do, the data you handle, and the size of your organization. But you can bet that you’d better be ready for an audit, regardless of size. Typical best practices, such as logging of security incidents and access to PII, and internal auditing are recommended.

What’s more, it may be advisable to get a risk assessment of our business, which will help you identify any weak points, and evaluate whether or not you need to improve or implement specific security controls.  

How Managed File Transfer Will Help Your Business Comply

As noted above, if your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you.  With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR. 

There are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant. 

  • Automatic File Integrity Checking validates that a file has not been altered, thus ensuring there are no costly mistakes that result in inaccurate data, and that data has not been inappropriately accessed.
  • Encryption of data in transfer and at rest. MOVEit utilizes both transport and storage encryption, with either SSL or SSH used to encrypt files in transport, and FIPS 140-2 validated 256-bit AES for files on disk. These steps will keep your—files, and the PII that you handle—secure, even in the event of a breach.
  • Detailed, Tamper-Evident Logging of file transfer activity will let you know exactly who accessed data as well as when, where, and how they did. That way, if tampering does occur, you’ll be on top of it.
  • Built-In Data Nonrepudiation will also let you prove who uploaded a specific file, who downloaded it, and that the file uploaded and the file downloaded are identical, giving you the capability to authenticate each user that visits a file, and provide a reliable log of that access.
Forget FTP! Start transferring data the secure and compliant way. Try MOVEit  today.

Want to know more? Check out these resources to learn more about GDPR and its implications:

Seven Steps to Compliance with GDPR

File Transfer and the GDPR

Brexit and the GDPR

Financial Services Data Transfers and the GDPR

And check out this video for a quick overview of the Seven Principles of Data Protection:

 

Topics: security, GDPR, Compliance

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.