Is SFTP GDPR Compliant? [How to Make SFTP GDPR Compliant]
Need your SFTP protocol to be GDPR compliant? Here are the GDPR requirements your company will need to prove compliance.
Is SFTP GDPR Compliant? No, SFTP by itself is not GDPR compliant. Making SFTP compliant requires additional protocols, tests, applications for compliance and other security measures to protect personal data. However, some vendors offer GDPR-friendly SFTP that’s easy for you to make fully compliant.
What Is GDPR and How Does SFTP Play a Role in Compliance?
GDPR is an EU compliance framework instituted to help protect consumers and support consumer control over their personal information. These regulations apply to IT and hardware that in any way handles user information, and they provide controls to empower users to deny consent or have their personal information deleted from business databases.
These rules, therefore, apply to file transfer technologies like File Transfer Protocol. Article 32 specifies that companies storing, transmitting and using consumer personal information must take appropriate technical and organizational safeguards to protect it, balanced against reasonable business concerns and risk assessment. This includes technologies like encryption and pseudonymization.
That makes vanilla FTP non-compliant. Since most compliance frameworks in the U.S. and EU require encryption of some sort, most companies use Secure FTP (SFTP) to transfer files. Companies that use SFTP for doing business (file transfers and server storage containing personal consumer information) are already on the right path for compliance but need to take extra steps to ensure that they are compliant.
However, SFTP isn’t itself completely compliant. While it provides encryption, there are several ways in which an SFTP server may not meet requirements:
- Encryption might not be sufficient: While SFTP includes SSH technology (and thus some form of encryption), not all SFTP solutions are up-to-date or appropriate for GDPR requirements.
- The SFTP server may rely on untested or unauthorized scripts: Workflows written in different programming languages, if not properly secured, could result in the unlawful disclosure of user data and a breach of compliance.
- SFTP servers don’t always come with proper documentation and auditing: GDPR requires some form of proof to show that specific actions were taken, namely, that consent was given for certain kinds of data usage or that requests for data deletion were followed.
Compliance with GDPR, in the case of SFTP, calls for a deeper understanding and implementation of security controls that meet the rights of the data subject under GDPR.
What Are Some Best Practices for Compliance with SFTP and GDPR?
What are the steps that a company can take to make their SFTP usage compliant? They can focus on the adoption of technology that can meet requirements, including:
- Solutions that use proper encryption standards to store and transmit data. Articles 5 and 6 of GDPR require that information be protected with technology that can ensure protection and privacy. Furthermore, these articles require that any processing of data also ensure the privacy of the data no matter what happens to it. This will typically mean using technologies like SFTP using AES-256 and TLS 1.2 or higher.
- Include audit logs. There isn’t a specific call for auditing but there is a requirement that certain forms of interaction are met—specifically consent. Audit logs can help you provide a trail of evidence that can demonstrate to compliance auditors that you are meeting your requirements. Note that logging under GDPR is different from other compliance standards. While not all logging methods capture private information, many do, and these logs need to be kept under the same security controls as any other information (including encryption and authorization safeguards).
- Leverage a solution that provides data visibility and accessibility. One of the requirements of GDPR, as outlined by article 39, is that an organization shall have a Data Protection Officer whose responsibilities include monitoring compliance, interfacing with regulators, and ensuring that employees and other stakeholders understand their responsibilities under GDPR. A functional CISO dashboard can help the office of a Data Protection Officer understand gaps in compliance and to more readily respond to breaks in compliance as they happen.
While these might seem broad, the best approach to GDPR is to assume that any consumer data collected must be protected, that consumer privacy and demands for deletions of data be respected and that there is a clear management function for compliance standards.
What are the Penalties for Non-Compliance?
An improperly configured SFTP server can be the ticket to non-compliance and severe penalties. These are typically arranged around the severity of non-compliance, data users affected, and the steps taken by the organization to rectify the situation.
Not all infringements lead to fines at first. Governing bodies might instead do any of the following before imposing fines:
- Issuing warnings
- Instituting a temporary or permanent ban on processing
- Ordering remediation of problem or deletion of data
- Suspending transfers to other countries
In the case of fines, however, GDPR divides penalties into two tiers:
- A maximum of 10 million Euros or 2% of annual global turnover (whichever is higher) for breaching specific requirements of GDPR. These include infringement of obligations under Articles 8 (child’s consent), 11 (processing that doesn’t require identification), 25 (that data processed is specifically relevant to the task at hand), 39 (tasks of a Data Protection Officer), 42 (certification and compliance) and 43 (working with proper certification bodies).
- A maximum of 20 million Euros or 4% of annual global turnover (whichever is higher) for breaking requirements in Articles 5, 6, 7, 9 as well as willful breach of the articles in the lower tiers). The main penalties here are linked to breaks in data processing principles, properly processing data for business purposes, breaking consent, data subject rights, or transfers to outside countries.
GDPR levies significant penalties, and an SFTP server that isn’t appropriately set up to manage security and the privacy of consumers is going to be a liability rather than an asset that could cost your organization a significant chunk of revenue.
If you’re going to do business with consumers in the EU, then GDPR is a reality for your compliance strategy. Your best way to position your technical infrastructure successfully is to work with tools that can help you be compliant by protecting data. The Accellion Kiteworks platform can help you with your GDPR compliance by providing secure technologies like hardened SFTP servers (encrypted at-rest and in-transit), integration with hardware security models for tamper proof key storage, MFT for GDPR, email for GDPR and accessible CISO dashboards.
With the Kiteworks platform, you get:
- A comprehensive audit trail with reporting, including explicit GDPR reports, to help prove and track consent from users. Additionally, you can expert syslogs into any SIEM solution, including IBM QRadar, Logrhythm and Splunk.
- A content firewall to centralize data and security governance for all your SFTP servers. This includes administrator and end-user access controls, certificate-based authentication controls, built-in antivirus and protection for outbound data with Data Loss Prevention (DLP) servers.
- A robust role access system using LDAP or Active Directory with additional ways to designate trusted users in nested SFTP folders. Also designate trusted external users and set data access controls across SFTP servers to ensure compliance across all SFTP resources.
Learn more about GDPR and Accellion by accessing our eBook on how the Kiteworks® Content Firewall is modernizing enterprise SFTP.