How to Prevent GDPR Mistakes 

(Pasko Maksim/Shutterstock)

Nearly everyone with a credit report is familiar with the recent Equifax data breach. And anyone in the business of moving sensitive data is familiar with how a robust managed file transfer (MFT) solution helps organizational security through enhancing operational visibility and efficiency.

Equifax’s identity-theft fiasco was staggering, egregious and historic. As one of the three major credit reporting agencies in the United States, Atlanta-based bureau compromised the names, Social Security numbers, home addresses, dates of birth, driver’s license numbers and credit card information of nearly 146 million Americans. And that number could grow.  In addition, nearly 700,000 British citizens and several thousand Canadians were affected. Basically, anyone considered a consumer with ties to the United States was at risk.

A major concern has been the lack of transparency. Equifax’s data breach reportedly occurred in mid-May. But it wasn’t discovered by officials until July 29 and wasn’t reported to consumers until Sept. 7 — a 41-day delay.

Part of the problem is that the U.S. doesn’t have federal regulation requiring companies to communicate data breaches to the public. Instead, breach notification statues differ state-to-state, making it a crapshoot for U.S. consumers to navigate.

However, the European Union is changing the game with its General Data Protection Regulation (GDPR), and secure MFT will play an important role.

GDPR is an EU order that aims to streamline the data protection regulations and strengthen protection for all individuals affiliated with the EU. After years of discussion and preparation, the GDPR was approved by the European Parliament on April 14, 2016, and it officially goes into effect on May 25, 2018.

GDPR applies to EU companies that have an establishment in the EU, provide goods and services to EU residents and monitor the behavior of EU residents. In other words, every company in the EU is affected. Companies outside Europe also must abide by the same rules. Therefore, if a company in the U.S. is selling any goods or services to people in Europe, it must meets GDPR compliance even though it’s based in the U.S.

Data breaches that may pose a risk must be reported to affected individuals and to the data protection authorities within 72 hours. In case of a data breach, organizations face a hefty fine of 4 percent of annual global turnover, or $21.2M (€20M), whichever amount is higher.

If GDPR was in effect when Equifax was breached, the credit reporting bureau would be facing fines around $130 million. With that thought in mind, companies are being forced to think more about digital transformation and adapt new technologies because of a new EU mandate. But with the GDPR deadline coming up in four months, that gives companies little time.

GDPR puts an increased burden of data security on organizations. But according to a recent global survey by British market research firm Vanson Bourne, many companies are dragging their feet. Globally, 37 percent of organizations are unsure whether they need to be GDPR compliant, while 28 percent believe they don’t need to comply at all.

That means interpretation of the rules sometimes is murky, making it possible for companies to be fined for non-compliance and data breaches. But everything your organization does with data constitutes processing, and virtually every process involves data transfer at some level. For such industries as healthcare, supply chain and logistics, financial services and SaaS, data transfer is the operations lifeblood. And any action on data is technically a processing event, including internal transfers, external transfers, storage, viewing, analyzing, changing, synchronizing and replicating. By deploying a steadfast and secure file transfer system that tracks the who, what and when of transactions, companies have the functionality and documentation required to comply.

Therefore, compliance will involve a complex combination of systems and tools, making a robust MFT solution and integration platform so crucial. Secure data movement is an integral part of the GDPR process. Outdated file transfer solutions can’t deliver the auditing, logging, reporting and automation needed to comply.

An advanced MFT solution will go a long way in ensuring that routine business-critical information flows aren’t risking hefty non-compliance penalties. MFT securely transports personal data to and from companies that must adhere to GDPR compliance using:

• Encryption of data in motion and at rest
• Non-repudiation
• Data integrity checks
• Comprehensive transfer logging
• Integration with existing security systems

A modern MFT solution provides advanced security and the control and governance to assure GDPR-compliant data transfers, and the clear, accurate documentary evidence to prove it.

MFT and integration solutions enable enterprises to manage, control, and govern the data flows that power their business. A centralized, reliable, scalable and secure file transfer solution can improve your business performance, reduce IT complexity and inefficiencies, support corporate growth and big data initiatives and reduce risk associated with GDPR data breaches and non-compliance.

It’s up to your organization how it will meet this new EU compliance and avoid mistakes that could be Equifax-like in proportion. GDPR guidelines do not specifically dictate how compliance is done, it just orders what, why and when it needs to be done. But accurate management of your data can’t happen without the right strategy and tools.

So as the May 25, 2018, deadline looms, there is no time to procrastinate. GDPR is just the first wave of what constitutes a global re-visioning of data security and personal privacy regulation. And with modern scalable MFT and B2B integration solutions in place, companies that must be GDPR-compliant can avoid delaying the inevitable and become an important business commodity in the globalization of data.

Dave Brunswick is the Vice President of Solutions at Cleo.