The new EU GDPR regulation is fast approaching and at Five Security we believe that it will have a significant (and interesting) impact on how companies will have to manage the data of their customers and end users.
What is at stake is, first of all, sanctions in case of non-compliance with the new rules; Fines of up to 4% of the annual turnover with a maximum of € 20 million in case of non-compliance. But after the first apprehension comes the time of analysis, and we realised quite quickly that the main principles of the regulation do make sense.
Some of the main ideas of the GDPR are:
About this last point concerning data security, the regulation does not give details on the “how” but simply sets out broad principles on “appropriate technical and organisational measures to ensure and be able to demonstrate that the processing shall be carried out in accordance with this Regulation “.
Article 24 of GDPR thus confirms that processors can use “best practices” codes of conduct or certification mechanisms that are approved as “an element to demonstrate compliance with the obligations of the data controller”.
The ISO / IEC 27001 standard comes to mind as it is all about the implementation of an information security management system but also PCI DSS and its structured set of strong requirements on the protection of a particular type of personal data (that is payment card data).
Another fundamental aspect of GDPR concerns relations with external third-party providers who have a role in the processing of personal data. The data acquisition and outsourcing processes will necessarily have to be re-evaluated with respect to GDPR and the service contracts will likely require a detailed analysis to verify their compliance with the new regulations.
The principle is that a “controller” will be just as responsible for a violation as the provider who did not know how to secure the data. Service contracts should also include clear provisions to limit the use of multiple stakeholders /processors who may not necessarily comply with all required data security measures.
Finally, the exchange of data should also be given special attention to ensure its security. This practical aspect will probably be solved mainly with the use of the cryptography which will be useful to integrate into the contracts and service agreements with relevant providers.
Feel free to contact the team to learn more about how Five Security can help you with your GDPR project.