GDPR Will Soon be Everywhere as Canada Preps its Own Version

January 10, 2022 Security and Compliance, MOVEit

Everyone, it seems, is copying Europe's GDPR, with California famously crafting its own California Consumer Protection Act (CCPA). In addition to other US states, entire countries, such as Brazil and Australia – have their own GDPR derivatives.

Canada is the latest GDPR-like entrant and drafted the Canadian Consumer Privacy Protection Act with the acronym CPPA. Rather than carp about what Canada's CPPA is all about (we'll touch on that later), our main point is: regardless of where you do business, GDPR, or others of its ilk, are in your wheelhouse – so you best get ready. While GDPR is centered on Europe, any entity that does business there must abide.

A Quick CPPA Rundown

Think of CPPA as closely aligned with GDPR, with a few twists including stiffer penalties – up to 5% of a company's annual revenue versus 4% for GDPR.

Other CPPA highlights include:

  • A mandate that companies implement privacy management programs to help ensure compliance, such as updated compliance and security policies, procedures, and employee training. This also includes improved security.
  • Companies and individuals can take private actions against those that fail to comply with CPPA.

Get Ready for GDPR Everywhere by Keeping Files Safe – and Compliant

GDPR and regulations of its kind are focused on protecting data and ensuring privacy. Most of this sensitive information is contained in countless files – files passed around in a myriad of unsafe ways, such as email. Every file sent by email or a file sharing service not equipped with encryption and the ability to know who it went to and if arrived is a potential breach – and a possible regulatory violation. In other words, a problem waiting to happen.

By default, all files sent outside of the company should be handled in a secure and trackable way. 

Learn more about file transfer and compliance by reading our File Transfer and GDPR whitepaper.

No Compliance Without Logging

GDPR and similar regulations require that records of key processing activities be preserved. There are two reasons this is important. If there is a breach or security incident, your IT department needs logs and an audit trail to perform forensics. 

Compliance auditors look for the same information. If a breach springs those auditors into action, they want to understand what happened and how your environment can be configured so it won't occur again. 

Files are where a great deal of your sensitive information is held, and file transfers are often where the compliance problem lies. If a faulty or insecure file transfer trips the regulatory alarm, you need to record exactly how many files were transferred and to whom. More importantly, a proper approach to file security will keep the regulators at bay because these files will simply not be breached, nor their data leaked. The ability to audit and archive information about these transfers is essential for security forensics. 

External File Transfers Pose a Regulatory Risk

Your company needs to communicate with the outside world, including sending essential information in the form of files to external entities. While these files can be intercepted by cybercriminals, they are also subject to other forms of unauthorized access or simple end-user mishandling, opening the files up to those that shouldn't see them.

The point is, you don't just protect files from criminals, but mistakes and errors as well. A survey of 255 IT professionals showed that only 27% of data breaches result from "malicious behavior." A staggering 46% of all data breaches were caused by "process or network failures."

Many companies try to secure external data transfers by creating policies that warn end-users of the dangers or by using file-sharing solutions they believe to be secure. None of these three offer the security that GDPR-style regulations demand. The best option is a Managed File Transfer (MFT) solution such as MOVEit from Progress.

These rules don't just ask for compliance; they require your IT and security teams to prove compliance with evidence. That's no problem with MOVEit, which tracks all file transfer activities, including authentication actions, in an archivable database.

File Compliance Tips and Tricks

Data privacy regulations generally require what GDPR calls "fair, lawful and transparent processing," and further requires non-repudiation, an essential aspect of data privacy regulations that regularly demand organizations validate that personal data is only passed from authorized senders to authorized receivers.

This requires a central system with tight access controls to protect user credentials, access permissions, and all relevant personal data.

Organizations must also adhere to "data minimization," meaning data collection and its processing must be strictly limited to only required information.

One answer is having comprehensive analytics that shows how files are treated and especially transferred to remain in compliance.

Data should not only be protected, but it must also be accurate as well.

When it comes to files, you need automatic file integrity checking to prove the file has not been altered.

Data must also be kept confidential with complete integrity, meaning it is safe from internal and external security threats.

An excellent protection here is the encryption of personal data both in transit and at rest.

Finally, IT is accountable for complying with key regulations and must document this compliance.

This can be handled by automatically collecting, reporting, and analyzing data and file transfer logs – ideally through a single consolidated interface. Meanwhile, these logs should also track whether files were tampered with to ensure accuracy.

 

The MOVEit Compliance Answer

With MOVEit, you no longer worry about your employees emailing personal data to other employees or outside entities or using insecure file-sharing services. With Managed File Transfer (MFT), you can eliminate user error and track and report the details of every file transfer.

With MOVEit, your end users can stop relying on insecure methods to share your company's most precious and regulated information. Meanwhile, workflows and automated file transfer tasks accelerate your data sharing process while eliminating user error. 

MOVEit's advanced security and flexible architecture allow you to implement the controls you need to assure GDPR-compliant file transfers. MOVEit Secure Managed File Transfer provides encryption of data in transfer and at rest, non-repudiation, data integrity checks, integration with your existing security systems, and detailed logs of file transfer activity.

More Information

Learn more about file transfer and compliance by reading our File Transfer and GDPR whitepaper.

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Read next Why Auditable Access Controls Matter