Is SFTP GDPR Compliant? [How to Make SFTP GDPR Compliant]

Need your SFTP protocol to be GDPR compliant? Here are the GDPR requirements your company will need to prove compliance.

Is SFTP GDPR compliant? No, SFTP by itself is not GDPR compliant. Making SFTP compliant requires additional protocols, tests, applications for compliance, and other security measures to protect personal data. However, some vendors offer GDPR-friendly SFTP that’s easy for you to make fully compliant.

What Is GDPR and How Does SFTP Play a Role in Compliance?

GDPR is an EU compliance framework instituted to help protect consumers and support consumer control over their personal information. These regulations apply to IT and hardware that in any way handles user information, and they provide controls to empower users to deny consent or have their personal information deleted from business databases.

These rules, therefore, apply to file transfer technologies like File Transfer Protocol. Article 32 specifies that companies storing, transmitting and using consumer personal information must take appropriate technical and organizational safeguards to protect it, balanced against reasonable business concerns and risk assessment. This includes technologies like encryption and pseudonymization.

That makes vanilla FTP noncompliant. Since most compliance frameworks in the U.S. and EU require encryption of some sort, most companies use Secure FTP (SFTP) to transfer files. Companies that use SFTP for doing business (file transfers and server storage containing personal consumer information) are already on the right path for compliance but need to take extra steps to ensure that they are compliant.

However, SFTP isn’t itself completely compliant. While it provides encryption, there are several ways in which an SFTP server may not meet requirements:

1. Encryption might not be sufficient. While SFTP includes SSH technology (and thus some form of encryption), not all SFTP solutions are up-to-date or appropriate for GDPR requirements.
2. The SFTP server may rely on untested or unauthorized scripts. Workflows written in different programming languages, if not properly secured, could result in the unlawful disclosure of user data and a breach of compliance.
3. SFTP servers don’t always come with proper documentation and auditing. GDPR requires some form of proof to show that specific actions were taken, namely, that consent was given for certain kinds of data usage or that requests for data deletion were followed.

Compliance with GDPR, in the case of SFTP, calls for a deeper understanding and implementation of security controls that meet the rights of the data subject under GDPR.

GDPR-compliant File Transfer

GDPR-compliant File Transfer is a set of practices and protocols that organizations must follow to ensure they are not violating the European Union’s General Data Protection Regulation (GDPR). Methods include encrypting and decrypting data, data storage and transmission, and data destruction. This ensures the confidentiality, integrity, and availability of information.

Businesses benefit from using GDPR-compliant File Transfer because it helps them comply with their legal obligations and avoids the financial, legal, and reputational repercussions of not using it. Regulatory penalties, loss of customer data, and harm to the customer’s experience are all potential financial penalties resulting from a breach of the GDPR. Furthermore, businesses may also be liable for damages arising from a breach, such as financial losses and reputational damage, which can be difficult for organizations to repair.

The financial, legal, and reputational repercussions of not using GDPR-compliant File Transfer can be severe. Fines for noncompliance range from 10 million euros to 4% of a company’s global annual turnover. Furthermore, any breach of the GDPR can lead to legal action. Finally, businesses that fail to comply may suffer irreparable reputational damage and may be subject to public criticism and boycotts.

What Are Some Best Practices for Compliance With SFTP and GDPR?

What are the steps that a company can take to make their SFTP usage compliant? They can focus on the adoption of technology that can meet requirements, including:

1. Solutions that use proper encryption standards to store and transmit data. Articles 5 and 6 of GDPR require that information be protected with technology that can ensure protection and privacy. Furthermore, these articles require that any processing of data also ensure the privacy of the data no matter what happens to it. This will typically mean using technologies like SFTP using AES-256 and TLS 1.2 or higher.
2. Include audit logs. There isn’t a specific call for auditing but there is a requirement that certain forms of interaction are met—specifically consent. Audit logs can help you provide a trail of evidence that can demonstrate to compliance auditors that you are meeting your requirements. Note that logging under GDPR is different from other compliance standards. While not all logging methods capture private information, many do, and these logs need to be kept under the same security controls as any other information (including encryption and authorization safeguards).
3. Leverage a solution that provides data visibility and accessibility. One of the requirements of GDPR, as outlined by article 39, is that an organization shall have a Data Protection Officer whose responsibilities include monitoring compliance, interfacing with regulators, and ensuring that employees and other stakeholders understand their responsibilities under GDPR. A functional CISO dashboard can help the office of a Data Protection Officer understand gaps in compliance and to more readily respond to breaks in compliance as they happen.

While these might seem broad, the best approach to GDPR is to assume that any consumer data collected must be protected, that consumer privacy and demands for deletions of data be respected and that there is a clear management function for compliance standards.

What Are the Penalties for Noncompliance?

An improperly configured SFTP server can be the ticket to noncompliance and severe penalties. These are typically arranged around the severity of noncompliance, data users affected, and the steps taken by the organization to rectify the situation.

Not all infringements lead to fines at first. Governing bodies might instead do any of the following before imposing fines:

1. Issuing warnings
2. Instituting a temporary or permanent ban on processing
3. Ordering remediation of problem or deletion of data
4. Suspending transfers to other countries

In the case of fines, however, GDPR divides penalties into two tiers:

1. A maximum of 10 million Euros or 2% of annual global turnover (whichever is higher) for breaching specific requirements of GDPR. These include infringement of obligations under Articles 8 (child’s consent), 11 (processing that doesn’t require identification), 25 (that data processed is specifically relevant to the task at hand), 39 (tasks of a Data Protection Officer), 42 (certification and compliance) and 43 (working with proper certification bodies).
2. A maximum of 20 million Euros or 4% of annual global turnover (whichever is higher) for breaking requirements in Articles 5, 6, 7, 9 as well as willful breach of the articles in the lower tiers). The main penalties here are linked to breaks in data processing principles, properly processing data for business purposes, breaking consent, data subject rights, or transfers to outside countries.

GDPR levies significant penalties, and an SFTP server that isn’t appropriately set up to manage security and the privacy of consumers is going to be a liability rather than an asset that could cost your organization a significant chunk of revenue.

10-step Checklist to Achieve GDPR Compliance

A checklist can help organizations demonstrate GDPR compliance by providing a comprehensive list of the necessary steps that an organization needs to take in order to comply with the regulation. This could include things like creating a GDPR policy, conducting training sessions for staff and contractors who may have access to personal data, updating existing contracts to ensure GDPR compliance, and establishing clear procedures for data transfer and storage. By referring to the checklist, organizations can easily ensure that they are taking the necessary steps to remain compliant with GDPR and demonstrate their commitment to data protection best practices. Here is a sample checklist organizations can use when building out a GDPR compliance program:

1. Designate a Data Protection Officer: Appoint a Data Protection Officer (DPO) to understand and assess the GDPR requirements and ensure your organization complies with the regulations. The DPO is responsible for ensuring that data is collected, used, and stored securely and legally.

Example: At a small business, the Chief Operating Officer is responsible for the Data Protection Officer.

2. Appoint a Team to Focus on GDPR: Create a team responsible for assessing, preparing, and implementing the necessary GDPR requirements.

Example: At the same small business, the team of IT staff and legal advisors are asked to work together to assess, prepare, and implement the required GDPR requirements.

3. Perform a Data Audit: Conduct a data audit to identify what personal data is held, how it is processed, and how long it is kept.

Example: The team at the small business creates a spreadsheet to map out all the types of personal data they store, the purposes they hold it for, how it is processed, and how much time they keep it for.

4. Update Your Privacy Policy: Ensure your organization’s privacy policy clearly outlines how personal data is used, stored, and accessed.

Example: The small business updates its privacy policy to include specific language about what data they collect, how they use it, how long they keep it, and who can access the data.

5. Create a Data Breach Notification Plan: Develop a plan for notifying stakeholders if a data breach occurs.

Example: The small business creates a plan for notifying customers, employees, and other stakeholders of a potential data breach if it occurs.

6. Adopt Security Measures to Protect Data: Implement measures to protect data from unauthorized access, such as encryption, authentication measures, and access rights.

Example: The small business implements a two-factor authentication process for accessing the customer database and an encryption process for storing data.

7. Train Your Employees: Ensure your team is adequately trained on GDPR and understands their responsibilities when dealing with personal data.

Example: The small business’s IT and legal teams hold a training session to review the GDPR requirements and explain how they apply to the company and its data collection and storage processes.

8. Educate Your Customers: Ensure customers are aware of their rights and how they can access, delete, or restrict the use of their data.

Example: The small business creates a webpage outlining the GDPR requirements and how customers can access, delete, or restrict the use of their data.

9. Monitor for Compliance: Develop a process for monitoring your compliance with GDPR and regularly review it to ensure continued adherence.

Example: The small business creates a system for regularly reviewing its data protection processes and assessing whether or not they are still compliant with GDPR.

10. Review Regularly:Review your GDPR processes to ensure continued compliance.

Example: The small business holds regular meetings with the IT and legal teams to review the GDPR requirements, assess compliance, and make any necessary updates to ensure continued compliance.

Organizations Use Kiteworks SFTP to Achieve GDPR Compliance

Organizations around the world utilize Kiteworks SFTP to transfer EU residents’ personally identifiable information (PII) securely and in compliance with GDPR.

As part of the Kiteworks Private Content Network, Kiteworks SFTP features a hardened virtual appliance, scalable servers, and centralized governance that tracks every user and automated action. File transfers are protected with AES-256 encryption for data at rest and TLS 1.2+ for data in transit, making it one of the most secure transfer options in the marketplace.

All file activity, including who accessed and sent a file to whom and when, is logged so organizations demonstrate compliance, detect anomalous activity sooner, and maintain a chain of evidence for forensics. The platform also supports on-premises and private cloud deployment options, where file transfers, file storage, and access occur on a dedicated Kiteworks instance, in accordance with data sovereignty requirements.

Besides GDPR, Kiteworks SFTP supports several other regulatory standards, including the Payment Card Industry Data Security Standard (PCI DSS), International Organization for Standardization (ISO 27001, 27017, and 27018), the Health Insurance Portability and Accountability Act (HIPAA), Cyber Essentials Plus, FedRAMP, and many more. Kiteworks SFTP also features no file size or type limitation, seamless automation, self-service/ease of use, automation, and central administration.

Kiteworks provides organizations and their Data Protection Officers (DPOs) complete visibility and control over their customers’ PII, enabling compliance with GDPR.

To learn more about how Kiteworks SFTP can help you achieve GDPR compliance, schedule a custom demo today.

Additional Resources

• Blog Post Data Sovereignty and GDPR [Understanding Data Security]
• Video Kiteworks Snackable Bytes: SFTP Server
• Blog Post Federal Data Protection Act (FDPA) in Germany: Protecting Personal Data in the Digital Age
• Blog Post GDPR Compliant Email—What You Need to Know
• Blog Post Top Enterprise SFTP Software for Clients & Servers