The subject of today’s Data Transfer Show is the countdown to the General Data Protection Regulation, otherwise known as the GDPR, which comes into effect May 25, 2018.
You’ll hear from legal expert Jonathan Armstrong of Cordery Compliance about what the GDPR is and who needs to comply, and our own Kevin Conklin will talk about how a managed file transfer solution can help.
The GDPR, set by the European Parliament, the European Council, and the European Commission, intends to unify all the different regulations and authorities currently in place across the EU. All organizations will need to comply with the GDPR, so the need to further secure your IT infrastructure is now more important than ever.
P.S. You could face fines of up to 20 million euros or 4% of the worldwide annual turnover—whichever is greater.
So, exactly what is the GDPR and what does that mean to businesses?
The 88 pages of the GDPR attempt to blend approaches to data breach notification (in the US, you have to report a breach to a regulator) and preventative regulation (in Europe, you have to try to avoid a breach). “It’s part evolution,” Armstrong said. “It’s part revolution.”
The GDPR will give Europe a general data breach notification requirement across the EU. “It’ll have tougher concentration on the security of personal data. And the definition of personal data is wide, definitely much wider than the PII in US statutes,” Armstrong said.
It will also introduce extraterritorial reach. So even if you’re a US corporation with no footprint on EU soil, if you target EU citizens, are subject to GDPR and its penalties.
“It’s a big piece of legislation. The aim is to make organizations much more responsible for the data they handle, and it’s already having a dramatic effect as regulators pick up the tool box that they’ve been given in the new regime,” Armstrong said.
The Consequences of GDPR Noncompliance
Aside from a gigantic fine? The 20 million euro penalty still applies to small businesses, by the way.
One consequence is customer fidelity. “Some of our clients have a monthly call with major customers who have told them that unless they make progress month to month, they will lose that account,” Armstrong said.
There are also already commercial effects of GDPR. Investors care a lot more about GDPR, as do managers, as do clients.
GDPR will change the way companies do business because of the very, very broad scope of liability. “For one simple security breach, for example, the whole organization could fold,” Armstrong said. “Quite often our businesses are concentrating not just on the fines, but also on the attitude of our customers—and how they might be getting aggressive with us to make sure that we take data security seriously.”
Article 32 of the GDPR states, “Controllers and processors must ensure a level of security appropriate to the risk.” But the controller/processor debate has gone on in EU data protection circles “almost since the dawn of time,” Armstrong explained.
The short version is that, under the GDPR, pretty much everyone is liable. It doesn’t matter if you’re a “data controller” in the old sense—someone who controls the data. If you’ve touched the data at all, ever, you’re considered at least a processor, if not an outright controller.
Today, it’s just not always clear who owns the data, much less who “controls” it. Most corporations actually do very little for themselves because so much is done by an outsourced provider.
The GDPR takes away some of that distinction between who’s the processor and who’s the controller. “If you’re responsible for handling data, then you’re responsible for handling data,” Armstrong said—and that means employees, customers, contractors, vendors, or anyone can have liability against the data controller.
How to Prepare for the GDPR
Prepare to be honest. But seriously, businesses need to have a plan. “I’m seeing a lot of people who can’t see the woods for the trees. They’re running around and don’t know where to start.”
Armstrong calls it a retrospective test. “The legislation’s technology neutral, so it doesn’t say you have to do X, Y, or Z. But what it does say is that you have to have a level of security that’s appropriate. That’s always going to be judged with the benefit of hindsight.”
Step one. Have a risk-based analysis. Pick a sensible plan that you think you can achieve in the next year. Meanwhile, review your vendor contracts and understand your dependencies on other organizations.
Next, look at your documentation through the lens of dawn raids. You’re going to have to be able to produce data really quickly, so you might look at a data privacy impact assessment, a DPIA. It’s a great tool to show you how you use your data.
Third, examine your data breach notification plans. You’re going to have 72 hours to report a breach to a regulator, and that’s not a lot of time. “Get battle hardened. Make sure that you’ve got the right tools to be able to see when data goes missing,” Armstrong said. You might need to think about a data protection officer.
Finally, invest in training your staff. Staff are still responsible for more breaches than external actors (because they do silly things like they send secure documents out of the organization). “Make sure that technology helps you, but make sure your employees do as well,” Armstrong recommended.
FTP Is Not GDPR Compliant
File Transfer Protocol (FTP) is still one of the most predominantly used systems for file transfer. GDPR is probably the most stringent data security protection act in the world. Can they get along?
That’s a no, according to Ipswitch’s own Kevin Conklin.
“Compliance auditors have told us that when they look at US firms for Payment Card Industry (PCI) compliance, they think they’re in noncompliance if they see an assemblage of FTP service that are disparately managed,” Conklin said.
But it even goes beyond that, Conklin pointed out. “FTP is a really, really old protocol, dating back to the 1970s before the internet. Even though there are versions of FTP that are secure—they provide secure data transfer in terms of encrypted data—FTP has too many flaws that make it noncompliant.”
Basically, FTP is way short of being GDPR compliant. Non-repudiation, audit trails, visibility and control—you just don’t get that with FTP.
Control and visibility are going to be a big part of staying compliant. You’re going to need the ability to have a manage file transfer system.
Manage file transfer leverages protocols like SFTP, FTPS, HTTPS, etc., but it provides a layer of management to establish audit trails, real user access controls, integration with security platforms, encryption both at rest and public encryption keys, and more.
“There are lots of opportunities in the process of data sharing for you to violate the GDPR principles,” Conklin said. Not being able to track who gets the data, how long it’s stored, what its uses are, whether somebody is hacking into a script or workflow—all are violations of the GDPR.
The GDPR’s principles of data security are founded on informed access, specified in Article 32 but peppered all through. Meaning you can’t use data without people’s permissions.
“File Transfer and the GDPR is our excellent white paper over at Ipswitch” Conklin said. “It talks about all the different principles: purpose limitation, retention periods, and data security. On top of all those, there’s this thing called the principle of accountability.”
It’s the “dawn raids” concept Jonathan Armstrong pointed out—where the auditors come in and say, Show me your data. “In a distributed FTP environment, that would be a nightmare because you’d have to go scurrying around all your different FTP servers, if you even know where they all are,” Conklin pointed out. It’s hard to provide data you don’t even have.
Here’s what you need for the GDPR: an audit trail that’s automated, that gets into who’s accessed the system, what data was sent, where was it sent, who received it, whether they received it, whether the workflows were changed at all. And it’s got to be fully documented, automated, and accessible to match up with the principle of accountability.
What’s absolutely certain is FTP can’t measure up anymore. So where should businesses look next?
We won’t leave you hanging. If your organization is ready to take the first steps of becoming compliant, start a free 30-day trial of our secure manage file transfer solution, MOVEit. For more information, visit our dedicated GDPR page.