MFT for GDPR Compliance [Penalties, Solutions & Security]

Using MFT for GDPR compliance is a game-changer for companies across the world. How can your company benefit from MFT? Keep reading to learn how.

How can MFT help with GDPR compliance? Specific managed file transfer (MFT) platforms can help with GDPR compliance if they are properly configured by encrypting data, creating audit logs and being able to look at who has access to what.

What Is Managed File Transfer for GDPR Compliance?

Managed File Transfer (MFT) isn’t a protocol or program in itself, but rather a platform that supports automated flows with several layers of security and tools for high-level data management.

Now, when we say “file transfer” we aren’t talking about email or instant messenger. Rather, we are talking about automated, high-volume and large-size file transfers that businesses, particularly enterprises, use to pass data back and forth quickly and at scale.

Many organizations will use a simple FTP or SFTP server to facilitate such transfer. These organizations tend to miss out on critical enterprise functionality, like controls related to compliance or IT management. That’s where MFT comes in.

What does this mean for your business? It means that MFT will provide a few basic, but important, features:

1. File transfer capabilities that are secure. An MFT solution, especially one that claims to be compliant under any framework, will package one or more secure file transfer protocols together as part of their operation. For example, most will include SFTP functionality. Others that include tools like email or web access may also include HTTPS, SMTP, FTPS and other security protocols.
2. A secure and encrypted server. MFT platforms protect data in transit and at rest, which means that on top of the encryption used to secure data during a file transfer, the platform will also deploy encryption for data stored in servers.
3. Additional security controls. Platforms will include any additional technical, physical or administrative controls necessary to meet relevant compliance standards. A GDPR-compliant platform, for example, will typically provide authentication, integrate with identity management systems like LDAP and scanners like DLP and provide role-based data access and user privileges. On-premise systems normally use a proxy through a Demilitarized Zone (DMZ) so data is always stored behind the corporate firewall.
4. Advanced management tools. Good MFTs will include data management and visibility, either through auditing logs, automated documentation and CISO capabilities like a dashboard to track user access, authentication, batch data transfers and other critical business requirements.
   1. Flow authoring environment. Rapidly onboard new business trading partners by defining new workflows, connections, and transfer schedules or triggers.
   2. Large-scale operations management. Ensure reliability and minimize staff needs by providing visibility into job failures when networks and remote servers crash, automatic retry, and troubleshooting tools to fix problems and performance bottlenecks.

As you may already have noticed, a properly configured MFT can go a long way in helping your business meet compliance standards. A compliant MFT vendor, therefore, is an integral part of meeting your own compliance requirements.

What Is Encryption in GDPR Compliance?

GDPR’s extensive and rigorous compliance framework codifies the European Union’s data privacy commitment to consumers.

This commitment is represented in several of the requirements of GDPR, which include:

1. Encryption algorithms for data privacy. Article 32 of the GDPR guidelines specifies that encryption, as a necessary and low-cost security measure, must be present to protect all data. GDPR also suggests that your company has encryption policies and plans in place for all data-handling systems.
2. Testing and accessibility. Additionally, encrypted data must also be accessible for use within a timely matter during any technical or physical event. That is to say, properly protected data must be accessible through a system and, if there is damage to existing data, there must be some sort of backup or contingency to make that data available. These systems must also be regularly tested.
3. Consumer consent and the right to be forgotten. Unlike many other countries, the EU requires through GDPR that businesses handling consumer data gain consent for the use of that data in certain marketing situations (like email marketing). Additionally, should a consumer request that their data be deleted from your system, you must do so within a small time frame. In both cases, you must have documentation of consent, requests for deletion, and documentation that you complied with consumer requests.

How do encryption play a role in these requirements? At every place where data is processed, it must be made confidential and illegible through encryption. This includes any time data is used for testing, research or documentation and auditing. So, for example, if you keep documents regarding consent given by consumers and those documents contain personal information (like a name, address, or potentially an IP address depending on the jurisdiction) then those documents must also be encrypted.

Does MFT Help with GDPR Compliance?

An MFT platform, properly configured, can support GDPR compliance efforts in several ways:

• Creating audit logs. They track every data access and transfer, including who was given access, as well as any changes in data access permissions. Having these records is critical for compliance audits.
• Encrypting data at rest and in transit. This protects all files that contain personal information, including audit logs or documentation.
• Controlling the flow of data from one location to the next. Properly configured MFTs can control (or help you control) the flow of data around your organization, including creating rules and triggers to halt data from entering non-compliant systems in your network. This kind of control can help your CISO, or Compliance Officer manage the flow of data and maintain separation between compliant and non-compliant systems.
• Governance. Providing high-level and low-level user access controls and authentication tools to ensure that data is protected from unauthorized access.

As you can see, data and access control are integral parts of GDPR compliance. An MFT platform with proper controls can help you comply with GDPR articles 24, 28 and 32 that state that you must protect data no matter where it is, and only process that data under justifiable business conditions. And MFT with real auditing, documentation and data control gives you the tools you need to easily meet and even automate your requirements.

The Kiteworks Platform Difference

The Kiteworks platform can help you with GDPR compliance specifically because it gives you secure file transfers and data controls. The Kiteworks platform includes:

• A cluster of virtual appliances, developed using secure coding practices. They are fully hardened, pen tested and subjected to bounty hunters, saving you the time, effort, and cost of hardening them yourself.
• A CISO Dashboard provides comprehensive visibility of data access, user access, data trends and movement, and controls over data transfers.
• DLP integration to scan all in-transit data to determine whether or not it contains sensitive or personal data.
• Access controls over flows and connections to protect sensitive data from illicit access.
• AES-256 encryption for data at rest and TLS 1.2 encryption for data in transit.
• Detailed one-click GDPR and HIPAA reports highlighting risks in your security and governance policies. Use them in audits to quickly demonstrate compliance with your documented controls, such as DLP scanner integration, data access policies, domain whitelisting and file expiration controls.
• Unified in a single, standardized cleansed syslog so your SOC team can save time and more quickly analyze alerts.
• Provisions for secure third-party access to personal data, including detailed logs for personal data access.
• Automated data removal policies to meet GDPR processing requirements.
• Additional layers of protection for encryption keys using integration with a hardware security module (HSM) or Amazon Web Services Key Management Service (AWS KMS).

Ready to learn more about MFT for GDPR compliance and how it can help your business? Check out Kiteworks’ secure managed file transfer solution or schedule a demo today.

Additional Resources

• Blog Post Shopping for the Best Managed File Transfer Software
• Blog Post What is the Most Secure File Sharing?
• Blog Post What is Managed File Transfer?
• Blog Post Enterprise File Sharing with Maximum Security & Compliance
• Blog Post What is Data Sovereignty Definition?