Accelerates Compliance to GDPR

FileFlex use of a Zero trust Data Access architecture for secure remote access, file sharing and collaboration supports and augments an organization’s GDPR compliance endeavors. FileFlex utilizes an organization’s existing investment in technology and combines a rapid deployment capability and ability to support the enforcement of the compliance and auditability controls required by GDPR. This is achieved by using an organization’s existing storage and keeping files in their source locations without copying or moving files to third-parties or secondary locations and without the use of cloud storage.

Also see GDPR Compliant File Sharing Using Zero Trust Data Access

Download our independent ‘Enablement for GDPR Compliance’ brief

Control of File Sharing

The control of file sharing and data transfer is a key requirement of GDPR. Unlike traditional cloud storage services, FileFlex includes technology built on a zero trust architecture, which when used with policies and appropriate user behavior, controls file sharing and data transfer as follows:

  1. It does not require a mandatory data transfer of file copies to redundant servers which may or may not be located in geographies that are outside of GDPR jurisdiction
  2. Does not depend on the governance, risk management or compliance policies (GRC) of third-parties that may or may not be in compliance
  3. Provides the organization granular controls over who a user is permitted to share with
  4. Supplies view-only sharing where downloading is restricted.

Reduces Complexity

The file duplication and syncing structure and related controls inherent in public, private and EFSS clouds creates a more complex storage infrastructure. FileFlex on the other hand, is a technological control that reduces complexity. The organization’s existing infrastructure and existing information security investment and associated controls are utilized to share files, while existing identity and access controls such as enterprise active-directory are used to enable authenticated and approved file access. These capabilities enable a rapid deployment model while relying on existing security controls and storage infrastructure to deliver collaboration and file share.

Data Minimization

GDPR mandates that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

This principle should be delivered in the technology stack with the key aspect being the limitation on the amount of data that is in-scope. When files are duplicated on public, private or EFSS clouds, in addition to the source location, multiple images and data resides with the service provider typically on-line, near-line, in redundant locations or off-line in backup managed and controlled by the service provider. Utilizing FileFlex technology enables organizations to limit the storage of personal data to what is necessary and achieve this goal by significantly reducing the footprint of organization data.

Accuracy

GDPR mandates that personal data shall be accurate, and where necessary, kept up to date.

Keeping in-scope PII accurate and up to date is a challenge for organizations as the volume and copies of the data grows. FileFlex enables organizations to maintain far less copies of the same data enabling them to keep more accurate and up to date.

Storage Limitation

GDPR mandates that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

This principle is further supported by FileFlex software via limiting the number of unstructured data copies that must be maintained, and through the use of auditing capabilities, enabling time limited sharing of files. This aspect in conjunction with view-only mode, supports the protection of PII and aids the prevention of data leakage requirements within GDPR.

Integrity and Confidentiality

GDPR mandates that personal data be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures.

FileFlex supports integrity and confidentiality of data using technical controls such as Active Directory and LDAP integration, enforcement of file share permissions, allowing IT control over who users can share with and support of confidentiality controls by significantly enabling the organization to limit the number of data copies required for collaboration.

Accountability

GDPR mandates that the controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

The extensive logging integration within FileFlex supports this core principle while the integration with LDAP systems such as Active Directory enables controllers to attest to this principle using capabilities that they are already familiar with.

Control

GDPR requires the enterprise to control the processing of all personal information, yet the rise of shadow IT takes control away from the IT department and disperses it across the business functions.

FileFlex minimizes the underlying need for Shadow IT existence in the first place, specifically around file sharing and access to unstructured data. Corporate users and external users can share and collaborate under organizational IT control and a secure framework and with little need to duplicate data or use of user controlled services. This in turn, creates a smaller foot-print for attack vectors while enabling the collaboration features users require.

Supports Privacy by Design Mandates

GDPR requires the use of Privacy by Design techniques which means that enterprises must begin and utilize information security in a “baked-in” approach vs “bolted-on” approach that is prevalent in the industry. GDPR aims to transition information security from an after-thought to fundamental requirements.