Avoiding the GDPR Data Transfer Pothole – Don’t Let Data Get Lost or Stolen During Transit

September 22, 2021 Security and Compliance, MOVEit

GDPR is now three-years old, and even the largest companies are still regularly caught in its snares. And those that haven't yet run into trouble are maybe more vulnerable than they think. In this blog, learn more about data protection and GDPR compliance.

GDPR is all about protecting data and ensuring privacy, and much of this personal information is in files – files you are likely sending to and from to customers, partners and third parties. Every file you send without full security, encryption and the ability to track and audit is a potential breach – and a possible GDPR violation. In other words, a sitting duck.

The authorities are getting more serious about GDPR all the time, and their expectation is that after three years all those that fall under these rules will understand them and have taken steps to comply. There's not a lot of sympathy from auditors investigating GDPR violations these days. And like a ticket-happy traffic cop, these regulators are not shy about handing out fines.

Even the largest and presumably most tech-savvy companies have been hit and hit hard. Google, tech leader extraordinaire, was fined $57 million for GDPR violations, and Yahoo $85 million.

Here are some other whoppers:

  • Equifax: $575 Million
  • Home Depot: $200 million
  • Uber: $148 million
  • Yahoo: $85 million
  • Capital One: $80 million
  • Morgan Stanley: $60 million
  • British Airways: $26.2 million
  • Marriott International: $23.7 million

Fines aren't just given to the well-heeled – companies of every size can be hit. Osterman Research dug deep into what GDPR is, the consequences it poses and how to stay clear of regulators in its report: ‘GDPR isn’t Getting any Easier: How to Master the Tough Parts’.

“The fine for lower-level infringements is up to €10 million ($12.1 million) or up to two percent of the total worldwide annual revenue from the preceding financial year, whichever is higher. Infringements at this level include failing to enact data protection by design and by default (Article 25), failing to keep adequate records of processing activities (Article 30), and not ensuring appropriate security of processing (Article 32), among others,” the report explained.

Data Protection by Design and Default

Protecting data by design and default means finding every area where data can leak or be breached, taking steps to secure that data and ensuring that any data including file transfers is protected by default. For example, if you're transferring files – each transfer should be done in a secure manner. It is impossible to know which files contain sensitive personal information, and which are just a schedule for the office sports betting pool.

There is a good reason for this data protection mandate. “Data protection under GDPR must be 'by design and by default' (Article 25). This requirement is in service of the overriding principle of minimizing damage to the rights and freedoms of data subjects and includes the mandate for both robust organizational and technical measures,” Osterman argued.

Consequences for Your Business Processes

Penalties aren't the only consequence of running afoul of GDPR regulations. If your processes contributed to the violation – those very processes can also pay the price. “The GDPR’s supervisory authorities have the power to impose restrictions or even cease a particular process, they can implement a remediation program, and they can require frequent audits going forward,” the Osterman report noted.

Aside from processes being halted, some parts of your business may slow to a crawl due to the investigation itself. “Investigation by a supervisory authority will likely create significant disruption across an organization, creating even more financial impact, loss of confidence from customers, prospects, stakeholders and employees. It might also impact shareholders’ support and the share price for a public company. In addition, there is the added risk of the auditor finding additional issues that could require further investigation and remediation,” Osterman found.

Read Osterman’s exclusive report, ‘GDPR isn’t Getting any Easier: How to Master the Tough Parts’

Secure File Transfer is Vital for GDPR Compliance and Overall Data Safety

Many data breaches occur when files are moved within your organization or to partners and other organizations with a vested interest. These breaches come with GDPR investigations and often crippling fines. But with managed file transfer software like Progress® MOVEit®, you can establish secure collaboration and automated file transfers of sensitive personal data. These files are not only moved safely – they include encryption and activity tracking to ensure compliance with GDPR, as well as PCI and HIPAA.

By default, all files sent outside of the company should be handled in a secure and trackable way.

With MOVEit, you no longer worry upon your employees emailing personal data to other employees or outside entities, or using insecure file sharing services. With Managed File Transfer (MTF), you can eliminate user error and track and report the details of every file transfer.

Failing to Keep Adequate Records of Processing Activities

GDPR requires that records of key processing activities be preserved. There are two reasons this is important. If there is a breach or security incident, your IT department needs logs and an audit trail to perform forensics.

GDPR auditors are looking for the same information. If a breach springs those auditors into action, they want to understand what happened and how your environment can be configured so it won’t happen again.

Files are where a great deal of your sensitive information is held, and file transfers are often where the compliance problem lies. If a faulty or insecure file transfer trips the GDPR alarm, you need a record of exactly how many files were transferred and to whom. But more importantly, a proper approach to file security transfer will keep the GDPR regulators at bay because these files will simply not be breached, nor their data leaked. The ability to audit and archive information about these transfers now becomes something essential to IT when they perform security forensics.

Why does this matter? It takes an average of about 18 months for a security breach to be discovered. How do you know what happened and how to prevent it from occurring again if you can't look back at all related activities during the breach? Wouldn’t it be better to know which file was involved, who sent it and to whom, when, and how it was sent?

External File Transfers Pose a Particular Risk

Your company needs to communicate with the outside world, and that includes sending important pieces of information in the form of files to external entities. As we discussed already, these files can be intercepted by cyber criminals, but can also be subject to other forms of unauthorized access or simple end user mishandling, opening the files up to those that shouldn't see it.

Many companies try and secure external data transfers by creating policies that warn end users of the dangers, or by using file sharing solutions they believe to be secure or even FTP systems. None of these three offer the security that GDPR demands. The best option is a Managed File Transfer (MFT) solution such as MOVEit from Progress.

GDPR doesn’t just ask for compliance, it requires your IT and security teams to prove compliance – with evidence. That’s no problem with MOVEit, which tracks all file transfer activities, including authentication actions, in an archivable database.

With MOVEit, your end users can stop relying on insecure methods to share your company’s most precious and regulated information. Meanwhile, workflows and automated file transfer tasks accelerate your data sharing process while eliminating user error.

Get the Full GDPR Rundown

Read Osterman’s exclusive report, ‘GDPR isn’t Getting any Easier: How to Master the Tough Parts’.

Get more details on Managed File Transfer, or get a free trial.

Nothing in this document constitutes legal advice. The reader should consult with legal counsel regarding its legal and/or compliance obligations. Progress makes no representation or warranty regarding the completeness or accuracy of the information contained herein.

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Read next Getting to the Bottom of GDPR – the Expert View From Osterman Research