How does GDPR affect my business?

How does GDPR affect my business?

GDPR, the General Data Protection Regulation, affects any organization that handles personal data from EU individuals.

Learn how SEEBURGER MFT File Transfer (MFT) helps you comply and mitigate risks.

General Data Protection Regulation (GDPR)
and Managed File Transfer

The EU General Data Protection Regulation (GDPR) has been in effect since May 25th 2018. It regulates how a company, organization or individual may process personal data belonging to an EU individual. Any company doing business with individuals located in the EU needs to comply with GDPR.

The GDPR’s definition of ‘personal data’, referred to as Personally Identifiable Information (PII), is very generic: For instance, names, birthdays, photos, addresses, and even social media posts fall under GDPR.

GDPR also gives individuals the right to know how and why PII is being collected, and how it’s being used. Furthermore, they can request to see their PII and or their PII to be removed or deleted.

This makes secure data exchange critical when personal data is involved. By law this requires:

  • Encryption and anonymization of the personal data
  • Safeguarding data confidentiality and integrity
  • Availability of systems and services to enable access to data if needed
  • Recovery of personal data in a secure way following a system error

Non-compliance with GDPR

There are many ways of exchanging personal data. System-to-system methods include uploading batch files, scheduled FTP transfers etc. System-to-human transfer includes planned reports, ad-hoc enquiries etc, while human-to-human transfer includes e-mails, flash drives, instant messaging and more.

Companies without a centralized overview of their data exchange are at risk of a data breach. Whether intentional or accidental, data leaks from key business applications continues to be a real threat for many companies. Leaks can result in data breaches that violate rules, including: internal compliance regulations, partner or customer service level agreements (SLAs), and privacy or data protection laws like GDPR.

Failing to comply with GDPR requirements, whether intentional or accidental, can be catastrophic for a company. Violations can cost your company of potentially €10-20 million or up to 2-4% of worldwide group turnover in fines, time and money. The penalties for inadequate protection of personal data also have an impact on those who are directly responsible, e.g. Managing Directors, board members, Data Controllers, CISO etc.

A Data Protection Impact Assessment (DPIA) is a risk assessment audit for technologies that process personal data. When running a DPIA, you need to look at the following areas:

  • Application design
    Has the application been designed with data protection in mind? Does it follow the principles of ‘data protection by technology design’ and ‘data protection by default’?
  • Secure exchange of data
    Is data encrypted and anonymized? Can you ensure the confidentiality, integrity and availability of systems, services and recovery after a physical or technical incident?
  • Ability to delete an individual’s personal data
    Individuals have the right to request that companies delete any Personally Identifiable Information (PII) relating to them, just by withdrawing their consent. For individual cases, this request might be difficult to fulfill, but is still achievable. However in large organizations, or if many requests come in at the same time, it is nearly impossible to do without prior preparation. One preparatory measure could be to set up a consent management hub to track the whereabouts of PII. However, before creating such a hub, you need integration so that systems holding and/or transferring PII have interfaces to interact with the hub.
  • Operating secure cloud services
    The majority of companies use cloud services from external service providers to some extent. The provider liability introduced by GDPR means that providers of cloud services can increasingly be held liable. However, it’s still challenging to choose the right service provider and evaluate privacy measures. Certifications and attestations by external auditors are a good sign.
  • Legal framework conditions
    Exchanging data between EU member states and the USA is only possible under GDPR if binding corporate regulations or contracts based on the EU standard contractual clauses have been concluded within an affiliated group of companies.

    Companies must enter into order processing agreements or nondisclosure agreements (NDA) with their customers, IT service providers, consulting partners and data center providers. Generic order data processing contracts are not sufficient. Order processing agreements by GDPR must contain a section specific to the order in question. This describes the order-specific technical and organizational data protection measures in detail. For unstructured data there are still many FTP channels around while at the same time internet file sharing services have become common. For both scenarios, it can be difficult to have a reliable order-processing contract.
  • Burden of proof
    Due to the accountability requirements of the GDPR, documentation is extremely important and needs to include detailed data protection logs.
    Currently there is no official GDPR compliance certification process. However, the effectiveness of the measures can and should be tested and confirmed by measures such as internal audits and external certifications such as. ISO/IEC 27001 and ISAE 3402 (SOC 1) Type 2.

Sharing files amongst people and systems is essential to today’s increasingly automated business operations. However, if file sharing was not considered in the design, execution and monitoring of core business processes, there will be costly vulnerabilities.

A secure Managed File Transfer (MFT) solution gets business-critical data to the right place at the right time, while also letting the sender track end-to-end and prove the data has been received. Alongside classic PII, this could also be financial data, price lists, contracts, payment information, intellectual property, inventory, orders or supply chain data etc. Some of the above will of course also include PII.

SEEBURGER BIS MFT is a solution that provides secure and monitored end-to-end management of all file transfers.

Besides being GDPR-compliant, data protection is important for many other reasons in various industries:

  • Retail: Exchanging large product graphic files with suppliers. Sharing financial details with banks
  • Consumer Goods: Brand teams collaborating with external parties on marketing material
  • Media: Transferring digital video files and creative assets
  • Manufacturing: Distributing marketing content to regionally located centers
  • Engineering: Multi-party exchange of CAD files for virtual teams
  • Financial Services: Payment processing and the exchange of payments for services and goods

SEEBURGER BIS MFT is a solution that can help businesses comply with GDPR. Every file is governed by policies, which helps validate, check and securely move data of any size between internal applications, companies, partners, customers and employees.

Benefit from the business advantages of managed file transfer, which go beyond compliance, while avoiding the hidden costs of "free" file sharing

Read more about the right strategy for your GDPR initiative and how SEEBURGER can help!

Download whitepaper

Discuss the GDPR requirements with us!

We look forward to hearing from you.

GDPR-compliant exchange of personal data across companies with SEEBURGER Cloud Services

Secure Data Room

Secure storing and file sharing via the SEEBURGER Cloud – use upload and download links to share files with external partners.

Secure Data Room Cloud Service

Secure Attachments for Outlook

Secure delivery of file attachments via Outlook Add-in – send encrypted attachments protected by password.

Secure Attachments for Outlook

Learn more about our ISO 27001 certified secure Cloud Services

Discover our Cloud Services