How to transfer files securely

[Just to say that this is a method I use, but you need to satisfy yourself that it is appropriate for your needs. I always recommend you talk to your IT provider, who should be able to advise on your particular circumstances and the most appropriate solutions.]

There is sometimes a need to transfer files between people or organisations. If this contains personal data (or anything of commercial sensitivity) then we need to be especially careful to make sure it is transferred securely, meaning that it gets to the right person and that no one else can access it along the way.

Firstly, a few general guidelines:

  • Email should not be relied on, as it’s too easy to send an email to the incorrect email address.
  • Unencrypted files pose a higher risk (especially in GDPR terms)
  • Compressing files with a password is not strong encryption as it can be broken (I searched for ‘compress file password recover’ and got more than 35 million hits!)

So how do I do it?

  • Use a file sharing service so can you email or otherwise communicate links and not the files themselves. I prefer a paid-for service from Citrix called ShareFile or but others are available including WeTransfer, Firefox Send, Box and Dropbox. You need to balance the need for security against the cost (if it’s free there is a reason).
  • Encrypt the file(s) securely. This may be a built-in encryption e.g. MS Office for low risk data through to PGP encryption for extremely sensitive data. You might also choose a file sharing service that both parties need to subscribe to, so checks can be done that the files can only be access by those you authorise.
  • Share the password by other means e.g. call the person and tell them.

In the light of the failure of Privacy Shield, there is increasingly interest in ‘zero knowledge’ or ‘trust no one’ solutions, where the owners of the file sharing service cannot access data even if forced to try. By way of an example, this applies to and LastPass (both of which I use).

These things should form a part of your IT security policy, and your GDPR or Data Protection documentation. For more information, please contact me and don’t forget you can book a free 20-minute insight call.