[BreachExchange] GDPR’s Effects on Data Migration

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 26 21:56:04 EST 2019


Thanks to technology, your organization can easily store, process, and
transfer data. However, the personal data of your customers may be at
stake. To combat the negative implications of private data transfer to
non-EU regions, the EU developed the General Data Protection Regulation
(GDPR). The GDPR sets a standard for organizations processing private data
about data subjects within the EU. Data considered personal under this
regulation includes personal names, addresses, dates of birth, health
records, bank details, IP addresses, among other personally identifiable
information (PII).

In light of the GDPR, businesses operating within the EU have turned to
compliant cloud-based platforms. However, each of these platforms comes
with the aspect of data migration. Whether its transferring data between
compliant platforms or to compliant servers, it is crucial for your
organization to ensure that it is not in breach of GDPR.

Let’s take a look at how compliance issues can manifest during the transfer
of personal data and what your business can do to remain GDPR compliant.

Where Does The GDPR Apply?

The GDPR applies if you are processing personal data in the EU or data
about individuals within the EU. Whether you are transferring data
undergoing processing or data to awaiting processing after the transfer,
you are expected to comply with the GDPR. There are several restrictions
you should remember:

Restrictions on the transfer of personal data to areas outside the European
Economic Area (EEA) or servers outside the EEA.
Restrictions on transfer of PII to servers based abroad.
Restrictions on emails or attachments containing PII about EU data subjects.
Restrictions on transfers to companies within the same corporate group.

Under the GDPR, you are also required to send emails to your clients,
asking them to opt-in to your consent and privacy policies. You are also
expected to report any incidents leading to the accidental or unlawful
destruction of private data, loss, alteration, access to, or unauthorized
disclosure of personal data.

How Can Digital Migration Violate GDPR?

Ill-equipped organizations can violate GDPR in several ways. First, the
lack of appropriate tools could lead to the loss of PII, which is heavily
punishable under the GDPR. Since GDPR is strict on personal data, the lack
of a proper reporting tool during data migration could lead to confusion
and severe punishment. For this reason, the data migration tool you use for
your business should have an appropriate reporting functionality.

Violations can also occur due to improper permissions. Should you expose
private data to unauthorized personnel during data migration; your business
is punishable under the GDPR. Caching metadata or files can also be risky
for your organization. Aside from making your business vulnerable, caching
data or metadata to non-compliant zones is a huge mess for your

It is also possible to mess up the mapping of users and permissions.
Imagine how catastrophic wrongly cataloged data can be. It is, therefore,
vital to ensure that you maintain file structure and metadata. The
confusion of modified time, file type, or owner metadata could lead to the
loss of private data.

Lastly, security during data migration is of utmost importance. The
interception of private data during transfer through malware is possible.
Some middlemen can intercept your data for their own benefit, leaving you
heavily liable.

When Can Your Organization Transfer Personal Data?

Transfers are possible within absolute narrow exceptions under the GDPR.
Before making any transfers, you should make the following considerations:

The European Commission should have reached an “adequacy decision” about
where the receiver’s country is based.
The transfer should be covered by appropriate safeguards, as explained in
the GDPR.
The transfer should be covered by one of the following considerations:

The data subject has given explicit consent and is aware of the risks.
You have a contract or about to enter into a contract with the data subject.
The data transfer is vital for the public interest.
You have a legal claim to make a data transfer.

Migrating to Compliant Storage

The successful migration of data begins with the identification of PII.
Through analytics, you can identify sensitive information. By being able to
categorize data, you can track its movement through a migration tool,
ensure the successful mapping of metadata and permissions, and retain file

As a business, you might find that your current cloud storage platform does
not suit your needs. Whether the reasons for migrating are non-GDPR
related, you need to keep compliance in mind. Remember, just because the
platforms you use are compliant, your migration might not be. Migration can
be a powerful tool for your organization, but it can equally turn into a
disaster when done outside GDPR.


GDPR compliant migration is just as fundamental as GDPR compliant storage.
To avoid any negative implications, ensure that you keep up with changes to
the GDPR and procure a robust and secure data migration tool.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191226/fb8e6eac/attachment.html>

More information about the BreachExchange mailing list