Lately, we've been receiving an increasing number of inquiries from customers as to how JSCAPE MFT Server can ensure GDPR readiness. Because MFT Server is equipped with several features for securing data, it readily meets a number of GDPR provisions for the protection of EU residents' personal data. In this post, we'll tackle the most relevant provisions and explain how you can leverage MFT Server to achieve compliance.
You can view the complete General Data Protection Regulation (GDPR) here.
As stated in Article 1(1), the GDPR "lays down rules relating to the protection of natural persons with regard to the processing of personal data...."
Because Article 4(1), defines 'processing' as any operation or set of operations performed on personal data through collection, storage, retrieval, disclosure by transmission, dissemination, and so on, the data transfers and other accompanying operations that you perform on EU individuals' personal data on file transfer servers are therefore considered 'processing' and thus must be done in accordance with the provisions of the Regulation.
If you're only using a regular file transfer server coupled with automation scripts for those operations, achieving compliance with the GDPR could be a huge challenge. JSCAPE MFT Server makes it easier. Let's look into those provisions now and see why.
Article 5 - Principles relating to processing of personal data
Article 5 includes a couple of provisions that impact personal data that's transmitted and stored by file transfer servers.
One of these is Article 5(1)(b), which not only specifies that personal data be collected only for specified, explicit and legitimate purposes but also prohibits the same data from being further processed in a manner that is not in line with the stated purpose. There are many ways to prevent the unauthorized processing of personal data using MFT Server. Some of the things you can do include:
- Creating DLP rules to detect certain types of information and restrict their movement;
- Using Triggers to move, delete, or archive files (presumably containing personal data) after certain conditions are met (e.g. after the duration for the intended purpose elapses).
- Limiting access to group folders (again, presumably containing personal data) to users with expiring user accounts.
Next is Article 5(1)(d), which stipulates that personal data should be kept accurate. In file transfers, the accuracy of personal data can be at risk if the data is sent in plaintext. In this form, the data can be subjected to a man-in-the-middle attack and tampered by malicious individuals. This threat can be mitigated by using secure file transfer protocols that support digital signatures. Some of these protocols include FTPS, SFTP, HTTPS, and AS2 over HTTPS, all of which are already built into MFT Server.
Another is Article 5(1)(e), which broadly defines how data retention policies should be framed in order to meet the GDPR's storage limitation principle. According to this section, "personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." In order to enforce data retention policies in MFT Server, you can use a combination of directory monitors and triggers similar to the setup in the article "How To Delete Old Files From Your Server".
Lastly, there's Article 5(1)(f), which requires that data processing be done in a manner that ensures the security of personal data, including protection against unauthorized processing as well as accidental loss, destruction, or damage. The article "10 Essential Attributes of a Secure File Transfer" provides an overview of what needs to be done to achieve this.
Article 24 and 28 - Responsibilities of the controller and processor
In the context of the GDPR, the controller is the party who determines the purpose for and manner of processing personal data, while the processor is the party who processes the data in behalf of the controller. The processor can be a separate organisation or a business unit in the same organisation as the controller.
Part of the controller's or processor's responsibilities is to implement appropriate technical measures to ensure that processing is performed in accordance with the Regulation. If you're a controller or processor seeking to leverage MFT Server to achieve this, you can refer to our large collection of secure file transfer blog posts for guidance.
Article 25 - Data protection by design and by default
Article 25(2) requires controllers to implement technical measures to ensure that "only personal data which are necessary for each specific purpose of the processing are processed". It further adds that that obligation applies to the amount of personal data collected, the extent of their processing, and the period of their storage and their accessibility.
In MFT Server, the extent of processing as well as the period of storage can be controlled through the use of appropriate trigger events and trigger conditions. Here are some examples illustrating the use of events and conditions:
- Auto Upload Files To A Remote Server Upon Arrival At A Local Directory
- How To Automatically Decrypt PGP-Encrypted Files Upon Upload
- How To Delete A File On Your Server After It’s Downloaded
- Uploading a 2nd File Only If The 1st Succeeds - Using 1 Trigger
- How To Zip Old Files On Your File Transfer Server
Accessibility, on the other hand can be controlled through the use of Groups and virtual paths. These two articles can introduce you to these two features:
- Setting Up Groups on JSCAPE MFT Server
- PGP Encrypting Every Single File Uploaded By Members Of A Group
Article 32 - Security of processing
Article 32 provides prescriptions for both controllers and processors with regards to the technical measures they need to implement to ensure the security of personal data. The recommendations include:
Encryption of personal data
Ensuring the confidentiality, integrity, availability and resilience of processing systems and services
Confidentiality can be upheld through the encryption features mentioned earlier, while integrity requirements can be met through the use of digital signatures and MDNs (in the case of AS2 data exchanges). Availability and resilience, on the other hand can be achieved through various high availability features and configurations.
Having the ability to achieve timely resumption of availability and access to personal data in the event of a disruption
One way to achieve this is by setting up an active-passive high availability cluster. The blog post "How To Set Up A SFTP Active-Passive Cluster" has an excellent example for this type of HA configuration.
Being able to establish a process for testing, assessing and evaluating the effectiveness of technical measures for ensuring the security of processing
Although there's no way of doing this on JSCAPE MFT Server itself, you can use JSCAPE MFT Monitor to carry out load tests on your JSCAPE MFT Server instances and determine how resilient those instances can be in under certain degrees of workload.
Article 34 - Communication of a personal data breach to the data subject
This article stipulates what needs to be done in the event of a data breach that involves personal data. If such a data breach happens, controllers are required to notify the affected individuals 'without undue delay' unless certain conditions are met.
Most companies prefer to avoid these breach notification exercises because they're time-consuming, costly, and cause reputational damage.
Fortunately for users of JSCAPE MFT Server, one of these conditions, which is specified in Article 34(3)(c), is that the controller should have implemented appropriate technical protection measures that would render personal data unintelligible to people who are not authorized to access it. One of the measures cited (actually, the only measure cited as an example) is encryption.
Once again, that means you can use JSCAPE MFT Server's data-in-motion encryption (e.g. FTPS, SFTP, HTTPS) and data-at-rest encryption (OpenPGP) features to avoid having to inform affected individuals of the data breach.
Traditional file transfer systems that don't have built-in security features can make your GDPR compliance initiatives a costly, complicated, and time consuming exercise. You can simplify things by using JSCAPE MFT Server.