CIOs, CISOs, data protection officers and compliance managers who work for businesses that interact with citizens in the European Union (EU) now need to be on-guard. The countdown for the General Data Protection Regulation (GDPR), which went into effect May 25, is over.
The regulation is one of the most stringent and costly data protection laws yet for any organization that fails to comply. With data volumes growing exponentially, and the constant need for data portability between on-premises and cloud environments, adhering to the GDPR directive presents a tricky challenge.
GDPR is predicated upon seven principles that seek to protect the rights and freedoms of individuals living in the EU. Citizens that live in the UK also fall under the protection of the GDRP, despite the pending Brexit initiative.
Leveraging the principles to comply with the GDPR regulation can save you a lot of money. If a data breach occurs, regulators will evaluate whether you incorporated appropriate technologies that could have prevented the attack. If not, the penalty for non-compliance can run as high as €20 million (roughly $26.6 million) or 4% of global annual turnover—whichever is higher.
European-based businesses are not the only ones who need to take notice. U.S. companies that do business with customers in Europe are also subject to GDPR penalties. This is not such a bad thing. Complying with GDPR can also generate benefits. In addition to helping you avoid fines, the seven principles offer solid guidelines for building a secure IT infrastructure to avoid data breaches and protect your digital assets. Given all the massive data breaches that occurred in 2017, that’s a worthwhile pay-off on its own.
Best Practices for GDPR Compliance Principles
The GDPR data processing protection principles are meant to assure that the rights of individuals are prioritized as businesses design, deploy and manage systems to collect and process personal data. File transfer systems, which fall under the definition of processing data, must provide the necessary functionality in order to enable compliance with GDPR. In this article, we take you through a rundown of the seven GDPR principles and the corresponding file transfer best-practice capabilities you will want to utilize.
Principle 1 - Fair, Lawful and Transparent Processing
Care must be used when designing and implementing personal information-processing activities. The required file transfer functionalities to address this principle include non-repudiation in order to validate personal and sensitive data are transferred only between authorized senders and receivers. Businesses must also apply centralized, fine-grained access control to safeguard user credentials, permissions and personal data.
Principle 2 - Purpose Limitation
Personal data collected for one purpose should not be used for another incompatible purpose. To comply with this principle, replace cryptic file transfer scripts with a forms-based system that provides a standardized, secure and documented record of data-transfer tasks.
Principle 3 - Data Minimization
Collection and processing should be limited to the personal data that’s needed to achieve the stated purpose. This can be accomplished through comprehensive analytics that provide the required insights into file transfer activities to assure on-going compliance with GDPR data protection principles.
Principle 4 – Accuracy
All reasonable steps must be taken to ensure personal data is accurate. The key process to apply here is automatic file-integrity checking when transferring files. This validates that files have not been altered.
Principle 5 - Retention Periods
Personal data should not be retained longer than needed for the stated purpose. Business should thus make sure their file transfer system allows for the scheduling of common repetitive pre-transfer and post-transfer tasks, including the scheduled deletion of personal data files.
Principle 6 - Data Security
Personal data must be secured against internal and external threats, accidental loss, destruction and damage. To satisfy the requirements of this principle, encrypt personal data in transit and at rest during file transfer processes. The file transfer system should also be integrated with data loss prevention and anti-virus systems.
Principle 7 – Accountability
Compliance with all the data protection principles listed above and below must be documented. GDPR requires businesses and organizations to address this principle through automatic collection and reporting on data transfer logs. The logs and reports should then be stored in one centralized consolidated location, and the audit logs must be tamper-evident in order to be trusted for accuracy.
Applying the best practices described above to comply with the seven principles of GDPR can also play a key role in intent-based networking initiatives. This approach makes it easier to apply security and compliance policies across disparate devices by abstracting networks, which is a form of network virtualization.
Below is an infographic that you can use for quick reference when it comes to these 7 principles.
Streamlining Your GDPR Compliance Efforts
No doubt, it will be difficult to comply with GDPR requirements—it has 87 pages of detailed requirements and 99 articles of specifications. To streamline the process, the key is to focus on the requirements that require you to add or adjust your IT processes and systems. Some of the more important aspects of GDPR to consider are properly managing the authorized consent of collecting personal data from EU residents; building data protection into every processes and system that collects personal data; and minimizing as much as possible the amount of personal data collected and stored as well as the timeframes for keeping that data.
For more information on how to comply with GDPR, check out this GDPR FAQ and the GDPR 10-Step Action Plan. As these and other resources convey, for any organization conducting business with EU citizens, GDPR-readiness is essential.
And if you’re looking for a low-risk, cost-effective way to comply with GDPR and the seven data-protection principles, a managed data transfer solution such as Ipswitch MOVEit File Transfer will get the job done. MOVEit integrates secure data transfer with centralized workflows, access control, and audit logging. This approach results in fewer moving parts, which then translates into lower risk to personal data—and less time and money spent managing and supporting data-transfer processing activities.