The new EU GDPR is coming fast!

PCI DSS 3.2 is expected in March/April 2016
22nd February 2016
Show all

The new EU GDPR is coming fast!

The new EU GDPR regulation is fast approaching and at Five Security we believe that it will have a significant (and interesting) impact on how companies will have to manage the data of their customers and end users.

What is at stake is, first of all, sanctions in case of non-compliance with the new rules; Fines of up to 4% of the annual turnover with a maximum of € 20 million in case of non-compliance. But after the first apprehension comes the time of analysis, and we realised quite quickly that the main principles of the regulation do make sense.

Some of the main ideas of the GDPR are:

  • The right to forget: your customers will now have the right to demand the permanent erasure of the personal data that concern them
  • Clear and explicit consent: it will be necessary to clearly explain to users what data will be processed and for what reasons. It will be necessary to ensure that the user gives his / her consent regarding the processing of his data in a clear and explicit way.
  • Portability: the persons concerned must be able to receive all their personal data in a computerized format
  • The obligation to notify: when a security incident related to personal data occurs, it will become mandatory to notify the national authority and the persons concerned.
  • The personal data collected must be processed in a way that ensures their safety.

About this last point concerning data security, the regulation does not give details on the “how” but simply sets out broad principles on “appropriate technical and organisational measures to ensure and be able to demonstrate that the processing shall be carried out in accordance with this Regulation “.

Article 24 of GDPR thus confirms that processors can use “best practices” codes of conduct or certification mechanisms that are approved as “an element to demonstrate compliance with the obligations of the data controller”.

The ISO / IEC 27001 standard comes to mind as it is all about the implementation of an information security management system but also PCI DSS and its structured set of strong requirements on the protection of a particular type of personal data (that is payment card data).

Another fundamental aspect of GDPR concerns relations with external third-party providers who have a role in the processing of personal data. The data acquisition and outsourcing processes will necessarily have to be re-evaluated with respect to GDPR and the service contracts will likely require a detailed analysis to verify their compliance with the new regulations.

The principle is that a “controller” will be just as responsible for a violation as the provider who did not know how to secure the data. Service contracts should also include clear provisions to limit the use of multiple stakeholders /processors who may not necessarily comply with all required data security measures.

Finally, the exchange of data should also be given special attention to ensure its security. This practical aspect will probably be solved mainly with the use of the cryptography which will be useful to integrate into the contracts and service agreements with relevant providers.

Feel free to contact the team to learn more about how Five Security can help you with your GDPR project.

Leave a Reply