The EU Data Protection Ordinance (EU-DSGVO) and EU General Data Protection Regulation (GDPR) lead to a far-reaching harmonization of European data protection law for personal data. By law the changes are mandatory on the 25th of May 2018, so the clock is ticking.
The GDPR’s definition of ‘personal data’ the so called Personally Identifiable Information, or PII, is very generic: For instance Names, birthdays, photos, addresses, and even social media posts fall under GDPR.
Thus secure data exchange will become even more important as data can contain personal data. By law this requires:
- Encryption and anonymization of the personal data
- Securing the confidentiality and integrity
- Availability of systems and services to be able to access data if needed
- Recovery of personal data in a secure way after a failure
This applies to a wide variety of data exchange scenarios: system-to-system (upload of batch files, scheduled transfers), system-to-human (planned reports) and human-to-human (ad hoc emails or manual FTP uploads).
Especially companies with an uncoordinated and decentralized data exchange run the risk of committing data breaches as of May 25th, 2018. The penalties for inadequate protection of personal data are considerable and can also apply to everybody being held responsible (e. g. managing directors, board members, data protection officers, CISO etc.).
Even if you can 100% exclude the possibility that data is contaminated by personal reference (e. g. customer data, credit card data) for organizational reasons, business data is critical and usually confidential. Think of financial data, price lists, contracts, payment information, intellectual property, inventory, orders or supply chain data.
Business-critical data does not only have to arrive at the right place or addressees at the right time. But you must also be able to track and prove this. Therefore, only a combination of organizational and technical measures can get you on the safe side.
In the case of structured data, IP-based encrypted protocols using signed certificates such as AS2 or OFTP2 have become the de facto standard for EDI.
For unstructured data there are still many FTP channels around or Internet services have become common where it is not possible to have a reliable order processing contract. If that’s the way in your company too, you should think about using a Managed File Transfer solution (MFT) sooner than later.
For more than 30 years, SEEBURGER has been an expert for the secure exchange of data between national and international customers and their trading partners.
Get in contact with us:
Please enter details about your project in the message section so we can direct your inquiry to the right consultant.
Written by: Frank StegmuellerFrank Stegmüller is one of the two corporate information security officers at SEEBURGER and has been with the company since 2008. He has over 25 years of experience in service, support and information security for Enterprise Application Integration, EDI, B2B, MFT, API, ITSM and digital transformation - both on in-house systems and from the cloud. He is involved in the ISO/IEC 27001, ISAE 3402 (SOC 1) Type 2 and TISAX certification for SEEBURGER Cloud Services and knows all about the intricacies of compliant data centre operations in international environments.