A US Company Navigating FTP and GDPR
GDPR or the European Union’s General Data Protection Regulation aims to provide EU citizens with additional rights in regards to their personal data. This regulation does not exclude a company just because it is based in the United States (or some other non-EU nation).
In fact, working for a company with its headquarters in California and clients all over the world makes awareness of all regulations important. Providing FTP and file transfer services online means providing a secure means of storing and sharing files regardless of the content or the senders country of origin.
Another consideration is the significant fines introduced by the GDPR for non-compliance. The lower-level penalties for non-compliance can include fines up to €10 million, or 2% of the worldwide annual revenue of the previous financial year, whichever is higher. Looming monetary penalties can create fear, especially in small to medium-sized businesses. In the US, wrapping your head around what a €10 million fine will actually cost you adds to the headache of GDPR.
As long as you are mindful of data security, transparent with how you collect and use personal data and report any breach of data within 72 hours, the rest of the EU GDPR will start making more sense.
Personal Data Rights Under GDPR
GDPR enforcement went into effect on May 25th, 2018. Companies all over the world have been trying to navigate this EU regulation and figure out how to be compliant with the new law.
First, you have to understand what Personal Data is.
Personal data is any piece of information that can identify an individual. The obvious ones are name, birthday, physical address, email address. However, personal data also includes information that can indirectly identify an individual. Examples would be physical, cultural, or psychological information, even IP address and online handle.
New Data Privacy Rights
1. The right to access.
2. The right to be forgotten.
3. Right to restrict processing.
4. Right to data portability.
5. The right to object.
What does all this mean? Let’s take a look at some of these GDPR data privacy rights.
As an EU citizen, under GDPR you have the right to know what information a company has collected on you. This extends to the right of data portability. A company must be able to provide all the information they have on you in a portable format that you can take with you and transfer to another company if you desire.
The right to be forgotten is also known as the right to erasure. This data privacy right can be requested if for some reason an EU citizen wants to have all of their personal data completely removed from a company’s database. The subtle issue here is that the company must have a process for erasing someone from their database. Once all their personal data has been erased, there must be documented proof that the request was fulfilled.
Kind of annoying, right?
Under GDPR it is required that consent be freely given. You can not collect personal data without letting customers know what data you are collecting and the reason or what you will be doing with that information. In other words, minimization is best. A company should only collect only the information they need to complete the transaction.
How Does This GDPR Stuff Tie-In With Your FTP & File Sharing Service?
File sharing is not inherently GDPR compliant. File shares need a little help in this department. That is why you should choose a file sharing service that cares about data security. And one that is transparent with their GDPR compliance efforts.
GDPR Is Global
Now that the EU GDPR has been around for a while, we can see that data privacy laws won’t be going away or getting less strict. With file transfers happening across oceans and countries, it’s nearly impossible to avoid GDPR. A file sharing company in the United States would find it extremely difficult to exclude providing services to EU citizens vs. doing their due diligence to comply with GDPR.
But I’m Not An EU Citizen
In many cases, GDPR is a still a benefit for any individual concerned with data security. As companies implement changes on their back end to comply with the policies laid out in the EU GDPR, often they realize it is easier to apply these changes to all of their clients.
Secure File Transfers
A final note on FTP and file sharing. When using the internet and cloud storage, it’s pretty hard to find an online company that doesn’t share information or deal with other companies. A company that does file transfer probably has a separate company process their emails or even their credit card processing. A company that has done their due diligence and in good faith claims to be GDPR compliant should only be working with other GDPR compliant companies.
If so, you should be good to go with that file you need to upload for a client. (Or those summer vacation pictures you promised to share with the in-laws.)