Is personal data stored in my file transfer system GDPR compliant?
When you are checking your data transfer systems and processes for GDPR compliance, it is easy to focus on the security surrounding the transfer itself. But there are other requirements for the processing of personal data to consider too. Article 4 defines processing operations as including “storage, retrieval, restriction and destruction”, so essentially the regulation applies to all operations surrounding a transfer, not just the transfer itself. This blog post takes you through data storage in your file transfer system.
The two key things to consider here are:
- Securing the data being stored, whilst making sure it is available in the event of an issue;
- Removing files that are no longer needed.
What the GDPR states
Article 25 is about ‘data protection by design and by default’. We are explicitly told that…
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to […] the period of their storage and their accessibility.”
This essentially means that data should only be kept for as long as it is needed and only accessible to those needing it.
Article 32 recommends some appropriate measures to control security and who has access to the data. Article 32 requires us to implement appropriate measures, including:
The pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Secure but available data
The data that we are storing in a file transfer system must be encrypted, but available in the event of an issue. This may be Highly Available (HA) or Disaster Recovery (DR) as applicable. Access needs to be secured so that only the right people can access the data. You also need to carry out regular security testing, so it is time to book your penetration tests!
There are, of course, several Managed File Transfer (MFT) products offering encryption and availability, which tend to be at the higher end of the market. You can achieve similar functionality using PGP encryption prior to presenting data to the transfer system, and regular VM snapshots.
Remove files that are no longer required
You need automated rules or processes in place to remove personally identifiable data or old user details from your file transfer system once it is no longer required. Think, for example, about data you share with your business partners. Too often, we see that files are not removed from the MFT platform immediately following their transfer (both inbound and outbound). The key characteristic of any file transfer system is of course the file transfer function – not file storage. Leaving a file in place after its transfer obviously increases the risk of access by unauthorised people.
Put an agreement in place with your business partners to delete files as they download them. As a backup, you can set up an automated rule to delete files after a certain time.
- Don’t leave data in an MFT system any longer than absolutely necessary;
- Encrypt everything;
- Check your backups or availability solutions and test them regularly;
- Organise penetration tests.