General Data Protection Regulation (GDPR)
and Managed File Transfer

Unprepared for GDPR?

Personal data can be exchanged in a number of ways, i.e. system-to-system (upload of batch files, scheduled FTP transfers etc.), system-to-human (planned reports, ad-hoc enquiries etc.) and human-to-human (e-mails, flash drives etc.).

Companies with uncoordinated and decentralized data exchange run the risk of committing data breaches as of May 25th, 2018. Whether intentional or accidental, data leakage from key business applications continues to be a threat for many companies. Leakage can result in data breaches that violate rules, including: internal compliance mandates, partner or customer service level agreements (SLAs), and privacy or data protection laws like GDPR.

Not meeting GDPR requirements represents an existential risk for companies. Violations can cost your company in fines, time and money (potentially €10-20 million and up to 2-4% of worldwide group turnover). The penalties for inadequate protection of personal data also have an impact on those who are directly responsible, e.g. Managing Directors, board members, Data Controllers, CISO etc.

GDPR requires risk management

Data Protection Impact Assessments for technologies which have a high risk of processing personal data need attention in the following areas:

• Application design
  The design of the application already focuses on data protection with the principles of ‘data protection by technology design’ and ‘data protection by default’.
• Secure exchange of data
  Encryption and anonymization of data, ensuring the confidentiality, integrity and availability of systems as well as services and recovery after a physical or technical incident is required.
• Option to delete the personal data of an individual
  Individuals have the right to request that companies delete any Personally Identifiable Information (PII) relating to them, just by withdrawing their consent. In one-off cases this request might be difficult to fulfill, but is still achievable. However in large organizations, or if many requests come in at the same time, it can become too difficult without prior preparation. This can lead to the requirement of a consent management hub to track the whereabouts of PII. However, a prerequisite for such a hub is integration so that systems holding and/or transferring PII have interfaces to interact with the hub.
• Operation of secure cloud services
  The majority of companies use cloud services from external service providers to some extent. The provider liability introduced by GDPR means that providers of cloud services can increasingly be held liable; however the correct choice of s service provider and the evaluation of the implemented measures to protect data remains a real challenge. Certifications and attestations by external auditors form a good basis for evaluation.
• Legal framework conditions
  An exchange of data with the USA is only legitimate if corporate binding rules or contracts based on the EU standard contractual clauses have been concluded within an affiliated group of companies.
  
  Companies must enter into order processing agreements or nondisclosure agreements (NDA) with their customers, IT service providers, consulting partners and data center providers. Generic order data processing contracts are no longer sufficient. Order processing agreements by GDPR must contain an order-specific part. This describes the order-specific technical and organizational data protection measures in detail.
  For unstructured data there are still many FTP channels around while at the same time Internet file sharing services have become common. For both scenarios it can be difficult to have a reliable order processing contracts.
• Burden of proof
  Due to the accountability requirements of the GDPR, documentation becomes even more important, so data protection track records need to become more detailed.
  Proof of the effectiveness of the measures by means of internal audits, external certifications and attestations (e. g. ISO/IEC 27001 and ISAE 3402 (SOC 1) Type 2) are needed.
  Currently there is no official GDPR certification process. Therefore ‘GDPR compliance’ as such cannot currently be recognizably achieved. However, consideration paid to the above technology areas will help prepare you for GDPR compliance as and when certification becomes available.

Data Protection for Files in Transit

Sharing files amongst people and systems is essential to today’s increasingly automated business operations. But when file sharing is not included in the design, execution and monitoring of core business processes, costly vulnerabilities are inevitable.

With a secure Managed File Transfer (MFT) solution, business-critical data of a company can arrive at the right time and in the right place. Besides PII this could also be financial data, price lists, contracts, payment information, intellectual property, inventory, orders or supply chain data etc. At the same time, the sender is able to track and prove receipt.

SEEBURGER BIS MFT is a solution that provides secure and monitored end-to-end management of all file transfers.

Besides being ready for GDPR other reasons for data protection exist in many industries:

• Retail: Exchange of large product imagery with suppliers and financial details with banks
• Consumer Goods: Brand teams collaborating with external parties on marketing material
• Media: Transfer of digital video files and creative assets
• Manufacturing: Distributing marketing content to regionally located centers
• Engineering: Multi-party exchange of CAD files for virtual teams
• Financial Services: Payment processing and the exchange of payments for services and goods

SEEBURGER BIS MFT is a solution that can help businesses become GDPR ready. With an MFT solution in place, every file is governed by policies and it will help validate, check and securely move data of any size between internal applications, companies, partners, customers and employees. This also avoids hidden costs of ‘free’ file sharing by way of the business advantages realized by including file transfer in your business process management strategy.