Data Transfer in the Age of GDPR
In this hypersensitive GDPR age, as a Data Controller/Provider/User, you need to be able to transfer data securely, safely, and compliantly. Here’s an overview of the advantages and disadvantages of various ways to data transfer.
Data Transfer Methodologies
The simplest and easiest method and which everyone will have access to is email. There are many pitfalls for sending data via email – especially unintended disclosure! We have all done it - where an email has been sent or forwarded to the wrong person. To add to the problem, the files are stored in Sent/Outbox or Inboxes as well – so unintentionally sent data is retained unless manually removed.
Email uses the Simple Mail Transfer Protocol (SMTP) for transmitting messages and attachments across the internet. You have no idea how many servers the message will pass through between the moment you send it and the moment the recipient receives it, and you don’t know who has access to those servers. Files can be sent with password protection, with passwords being communicated in separate emails. The main advantage of this method is ease, but the disadvantage is that passwords should be sent separately. n addition to being diligent with passwords, sending or receiving data in an encrypted format is highly recommended.
There are limitations on the size of the attachments you can send; if you are looking to attach a file over 10MB, most email systems will not permit this.
Unless you remember to ask for a delivery or read receipt, there is no confirmation also that the data has been received or delivered. Or, we can ask our recipients to confirm receipt, but how many do? Another disadvantage of using email is that there is no audit trail: if senders and recipients delete files, there is not only no global view, but no visibility of the files sent.
Data transfer need not be complex, but it does need to be secure.
Another common file transfer method is SFTP – Secure File Transfer Protocol. In order to be able to use SFTP, you need access to online server resources, so smaller companies may be out of luck here. There are various tools on the market-place that will allow you to set up a SFTP delivery option, but again there are pitfalls. For example, there is no visibility of file downloads, data can be retained without manual intervention. Any company employing this methodology would also need to ensure they update their security patches and ensure stored documents are encrypted.
While you can encrypt your email server connection and use encryption protocols to send it over, it’s not always possible to ensure that the recipient has the same set of security practices in place. In other words, you might have securely sent out your documents, but that does not mean they were delivered securely.
There are many services that offer transfer methodology, such as WeTransfer and Drobox. Each has its merits, but always check that each offers the right solution for your specific requirements. Some solutions only provide one-way transfers, lack of visibility of downloads and usage, and files must be password protected. Further, no audit trails and retention of data may mean a breach.
Data transfer does need not be complex, but it does need to be secure. You need to know that if you are audited you can prove that you have all the checks and red flags in place to show that you have done your due diligence to comply with regulations and avoid breaches. It will help you sleep sounder at night!
Here at Savvy Data Solutions – we send not just data but all of our documentation through a secure data platform that is GDPR-compliant and retains a full audit trail of what has been sent. There is no chance of unintended data retention as files shared are automatically deleted after a set number of days.
Talk to us about how transferring data securely and using tools that meet legal GDPR transfer requirements.