Are your GDPR impact assessments all in place?

By 25th May 2018 you will need to have carried out GDPR impact assessments for all processing activities involving personal data of EU citizens. This is really important, even if you are confident your systems, processes and security is in line with the regulation.

This blog takes you through the reasons why, plus exactly what an impact assessment is in the context of data transfer and file sharing.

What is a DPIA?

The Data Protection Impact Assessment – or DPIA – is described in article 35 of the GDPR and then detailed in article 30. DPIAs need to be created for all new workflows and retrospectively applied to all existing workflows.

A DPIA performs several functions at the same time:

  • It is a risk and impact analysis
  • A description of a workflow including its purpose
  • A breakdown of security settings
  • It forms the basis for subsequent audit reviews.

The reality is that every workflow handling personal data must be fully documented. There is no official template for this document, but it makes sense to adopt a standard form as early in the process as possible. Consider creating two assessments – one top level and one containing the technical detail.

Think of the top level DPIA as an executive summary providing a description of the processing options, and the reason for doing it. This can be as simple as ‘Sending employee Records from HR system to Accounts SFTP server’ and ‘Required for loading monthly payroll’. It should also contain the perceived risks to the process, and any mitigations applied. The DPIA needs to be signed off by the Data Protection Officer.

The more technical DPIA should contain the detail of the workflow. We recommend the following as a minimum:

  • The software in use
  • The Data Controller Name
  • The categories of data being transferred
  • The recipient category (EU/3rd Country/International Organisation)
  • The data retention period
  • The security methods being employed (Encryption, High Availability, recovery options, penetration tests, etc.)

DPIA as a record of processing

Completing a DPIA meets the requirements of GDPR article 30. It means that during an audit, you will be able to provide a document to fully explain each workflow handling personal data.

It also means that you will need to periodically review each DPIA and ensure that they still match the reality of the situation – sometimes every organisation will have an update to a workflow (planned or otherwise) which does not get adequately documented. Similarly, if something outside the actual workflow itself changes (for example, retention periods), then the DPIA needs updating. It makes sense to attach the results of continuity or penetration tests directly to the DPIA as evidence, if ever required.

 

White Paper and supporting resources

You can find out more about this and other aspects of the GDPR for data transfer and file sharing in our White Paper. When you download this you will also receive an example GDPR impact assessment template and interface mapping template. These resources are designed as a guide to support you meeting the requirements of GDPR article 30 and 35.

PGP is the industry standard for securing communications and a common feature of MFT. But it’s recently been at the centre of hacking fears. This guest blog post from Coviant Software CEO Greg Hoffer will alleviate any concerns relating to your Managed File Transfer (MFT) solution.

It was bound to happen one day: the OpenPGP Standard Key Server implementation has fallen victim to attack. When the Pretty Good Privacy (PGP) Keyserver system allows anyone to affix changes (“attestations”) to a given key –these never, ever get deleted. As a result, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software. This is a clear security issue leading to a “denial of service” attack, rendering that public key unusable for encrypting information.

So how does this affect your MFT solution? It is has no negative impact at all. I have never experienced any customer that uses a KeyServer for OpenPGP key distribution. When creating a transaction to move files between a MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. Thus, since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.

Let’s all use this situation as a reminder to be very untrusting when dealing with the security of sensitive data, and not provide an infrastructure that allows anonymous, unregulated edits to information that is vital to secure communications.

Greg Hoffer

CEO, Coviant Software

Your MFT solution is a critical part of your infrastructure, with many business processes depending on it. Without regular maintenance and training, you are risking security and efficiency, and ultimately not getting the best value from your solution.

Our health check service reviews the performance of your software, checking your configuration, version, clean-up rules and more. Our technical consultants will produce and present a report advising on risks we have identified and remedial actions.

Call 0333 123 1240 or contact us online to book a health check today.

Managed File Transfer Buyers Guide