Over the last 6 months I’ve been asked many questions about File Transfer & GDPR, and how AMS File Transfer can help work towards GDPR compliance. As most of you are aware, the new GDPR regulations are being enforced on May 25th, 2018. Although plenty of notice has been given to introduce the necessary changes, it’s coming around quickly and left organisation’s frantically looking for solutions that will cover their GDPR headache.
Whilst there is a lot of focus on the handling and security of personal data within your organisation it’s also very important to consider the need to transfer personal data to 3rd parties. This transfer process also needs to be secure and GDPR compliant and should be seen as an extension of your internal data policy. In terms of file transfer there are some key areas of GDPR that we must comply with.
Below are some key areas where GDPR impacts data transfer and file sharing. I have referenced the relevant article within GDPR regulations then described how AMS File Transfer features will address the requirement.
1. Consent of the data subject
In article 4, GDPR defines ‘consent of the data subject’. Our solution will allow you to publish your privacy policy and consent message as T and C’s for the users to accept prior to them using the system.
2. The individual’s rights to access, rights to remove and rights to portability
Articles 15,17 and 20 refer to the individual’s rights to access, rights to remove and rights to portability. Our solution provides a secure mechanism to send files and data to the individuals in the correct format, this could be in the form of a subject access request, also the ability to quickly delete or set retention policies on transfers and data.
3. The ability to restore the availability of personal data in the event of a physical or technical incident
Article 20 states the ability to restore the availability of personal data in the event of a physical or technical incident, so having a resilient HA/DR solution is fundamental. File transfer can be set up in your own resilient environment using VM’s on premise or using our cloud environment through Microsoft Azure in the UK.
4. Data Protection by design and default
Article 25 focuses on ‘Data Protection by design and default’. This is about embedding data protection into business processes, systems and services from the outset; not as an afterthought.
This means access to personal data should be restricted to only those people that have a necessary and justifiable business need. AMS File Transfer will allow businesses the opportunity to restrict who sends and receives secure information as a single corporate solution. Controlled through permissions and authentication options
5. Record of processing activities
Article 30 focuses on ‘Record of processing activities’. This means organisations should have a log showing all personal data transfers that occur. This is provided through the auditing and reporting capability within File Transfer. Auditing is done on both a file transfer level as well as a system event level through an administrator.
6. Security of processing
Article 32 focuses on ‘Security of processing’. It states that organisations must ‘ensure a level of security appropriate to the risk’, and outlines the requirement for ‘encryption of personal data’.
All files sent and received through our system are encrypted using 256 AES encryption, both in transit and at rest. We provide full audit of users, file transfers and systems changes.
Many traditional file transfer methods such as email, ftp/sftp sites, consumer file sharing sites as well as physical media will fall short of the new GDPR regulations but as you can see AMS File Transfer is a quick win when working towards your overall GDPR objectives.
I hope you find this useful and please get in touch if you would like to see a short demonstration of AMS File Transfer.