GDPR AND FILE TRANSFER
It is highly likely that your data transfer and file sharing system receives, transfers and stores personal data in some form. That means it falls within the scope of the General Data Protection Regulation (GDPR). The following security, auditing and governance will help keep your system in line with the regulation:
- Data retention policies
- Secure data transfer protocols
- Encryption of data at rest
- Detailed auditing and reporting
- Authentication and access control options
- High availability / disaster recovery
- Integrate with AV and DLP tools
- Controlled platform for ad-hoc sharing/collaboration
GDPR COMPLIANCE WITH EFT ENTERPRISE
Secure protocols to protect data in transit
Robust authentication to control who can access data, plus optional multifactor authentication
Full audit log to trace data
Encryption options for protecting data at rest, including OpenPGP
Optional secure data wiping, otherwise known as data sanitising
Local-managed or AD-managed access controls over what data can be accessed
Automated, scheduled clean-up action helps comply with storage-retention requirements
User account information is always stored encrypted
Most of these features can be achieved on EFT SMB through additional modules or configuration.
ADDITIONAL EFT MODULES FOR GDPR
Workspaces vs shadow IT
With shadow IT such as WeTransfer or consumer-grade Dropbox, you do not get visibility of transfers, which is a must for GDPR compliance. It also lacks in-built security, putting information at risk and further compromising compliance.
Workspaces for EFT makes it easy for end users to share files of virtually any kind via any web browser, allowing others to access, upload, and download folders and files. Employees can share files in a way that they have become use to, but in a secure way, with enhanced governance and visibility of your data. With Workspaces for EFT you can:
- Empower your end users with secure file sharing between employees and external partners
- Retain full control and visibility of your data
- Integrate with Outlook for person-to-person file transfers
- Securely send files from your browser
- Generate reports on file transfer activity
Content Integrity Control module (CIC)
This allows EFT to integrate with data loss prevention (DLP) and data classification systems via the Internet Content Adaptation Protocol (ICAP) protocol. MFT solutions such as EFT deal mostly with unstructured files, rather than semi-structured data such as JSON or XML, so the content of those files is almost completely opaque to the EFT platform.
Due to this architecture, upstream or downstream processes need to exist to determine whether files that are processed through EFT contain personal data, including controls that would allow or disallow processing of that data.
EFT’s optional support for the ICAP protocol allows it to side-channel files that are being received or that are about to be processed, allowing a third-party system to examine and flag those files accordingly (disallowing further processing), or even modifying their content, including replacing personal or other sensitive data with alternate content.
Auditing & Reporting Module (ARM)
Under GDPR Article 30, you have a responsibility to log and report data transfers that include personally identifiable data. ARM provides access to a full range of pre-configured reports, meaning you can evidence which users sent and received which data. Combining this with the additional Insight module will deliver customised reporting, real-time monitoring and track SLAs against your data movement.
High Security Module (HSM)
GDPR Article 32 recommends security measures, including encryption. SFTP/FTPS and HTTPS enable encryption in transit. The High Security Module enables AES256 encryption at rest, securing your files as they land and until they are moved or deleted from the server. It also secures deleted files, overwriting the data so it cannot be retrieved (3-pass DoD).
Implementing the Gateway allows you to move your EFT server inside your secure network as an alternative approach to securing the files at rest. It is a multi-platform solution that works in conjunction with EFT to create a multi-layered DMZ security solution for data storage and retrieval, authentication, and firewall traversal. This ensures there is no unencrypted data in the DMZ, which mitigates the risk of external threats.
The following technical top tips and guides are useful resources to support GDPR compliance with EFT Server.