Is it GDPR compliant to transfer personal data from a server to another server by FTP in internal network?
Thanks in advance.
GDPR is a much broader framework, than a specific set of technical "do's" and "don'ts".
Regardless of GDPR, I'd say ftp (or any unencrypted, plain text transfer protocol) should *not* be used, even on internal networks. It's just a bad idea in general. If an attacker gets even limited read access on your network, you've just bypassed any sort of access controls on the data, by streaming it in the clear.
Even without GDPR concerns, I'd say this is pretty close to a violation of "due care" in handling sensitive data.
Not a lawyer, my opinions are my own.
GDPR specifies legal requirements than technology related mechanisms. The law sets expectations which may include "do's" like encryption, impact assessments.
When considering data transfers even on internal network, we will need to:
GDPR doesn't mandate specific technical methods, but if we consider that when dealing with Personal Data "appropriate technical and organisational measures" should be used, then I would say that SFTP is the minimum to be used. Probably you can get away in using FTP as well, but if your network is breached and Personal Data would be exfiltrated because of FTP (which is an unencrypted protocol), I would rather say that you will be in trouble as you were not using Defense-in-Depth (aka layered) defense and as well you would have not followed the Privacy by Design and Privacy by Default concepts contained in GDPR. It's common to see companies willing to procrastinate (again!!) implementation of basic security standards, like for example, removal of FTP. I would expect some big fine to be handed to some companies after May 2018 to start convincing businesses in Europe that Information Security and Privacy needs to be taken seriously, as they could severely affect human rights, rather than just financial or business matters. Until we will see CISOs under CIOs or other C-Levels (thus not being considered 'enough--important' by CEOs) the situation won't change I the right direction. In USA this is many steps ahead already, EU is lagging back in terms of business awareness. On the other Hand GDPR shows that on Human Rights EU is the spearing edge in the world on legislative area. Let's see if that will remain just on paper or if we will see real enforcement in the very near future.
I think you have received some good guidance regarding how GDPR does not speak to specifics. On the issue of FTP for internal use only, I think you are looking at the tip of the iceberg. While FTP rightly is a security concern due to its unencrypted nature, the same attack against it would apply to any unencrypted and open file sharing protocol (e.g. an open legacy SMB/Windows share), which is not unheard in a lot of places.