From then on, European data protection will play an even more important role.
The harmonization of the principles at European level replaces national unilateral efforts about the protection of personal data. Violations of data protection are no longer punished at national level, but at European level. Due to the maximum limit of 2-4% of the worldwide group turnover, but at least € 10-20 million, non-compliance with GDPR requirements represents an existential risk for companies.
GDPR requires risk management, for example data protection impact assessments are mandatory for the introduction of new technologies which have a high-risk of processing personal data.
For internationally active companies, it is additionally aggravating that in mid-December 2017 it became known that the Art 29 Group of Data Protection Commissioners believes that the current Privacy Shield Agreement with the USA does not guarantee the protection of personal data required by the European Court of Justice.
Especially companies with an uncoordinated and decentralized data exchange run the risk from May 25th, 2018 onwards of committing data breaches due to the lack of compliance with the principles of lawfulness, purpose limitation, data minimisation principle, accuracy, storage limitation, integrity and confidentiality. This is further aggravated by the extension of the protection of personal data to all forms of processing.
In this increasingly complex environment, compliance plays a central role. Do you control the risks?
1) Legal framework conditions
An exchange of data with the USA is only legitimate if corporate binding rules or contracts based on the EU standard contractual clauses have been concluded within an affiliated group of companies.
Companies must enter into order processing agreements (In German called Auftragsverarbeitungsverträge AVV) and nondisclosure agreements (NDA) with their customers, IT service providers, consulting partners and data center providers. Generic order data processing contracts (In German called Auftragsdatenverarbeitungsverträge – ADVs) are no longer permitted. The tape of AVVs required by the GDPR must contain an order- specific part. This describes the order-specific technical and organizational data protection measures in detail.
Due to the accountability of compliance with the GDPR, documentation becomes even more important so data protection track records need to become more detailed.
2) Application design
The design of the application already focuses on data protection with the principles of “data protection by technology design” and “data protection by default”.
3) Operation of secure cloud services
The majority of companies uses cloud services from external service providers to some extent. The provider liability introduced by GDPR means that providers of cloud services can increasingly being held liable; however the correct choice of service provider and the evaluation of the implemented measures to protect data remains a real challenge. Certifications and attestations by external auditors form a good basis for evaluation.
4) Secure exchange of data
Encryption and pseudonymization of data, ensuring the confidentiality, integrity and availability of systems as well as services and recovery after a physical or technical incident is required.
5) Burden of proof
Proof of the effectiveness of the measures by means of internal audits and external certifications and attestations (e. g. ISO/IEC 27001 and ISAE 3402 (SOC 1) Type 2) are needed.
The good news is that GDPR harmonizes data protection at the European level and simplifies international data exchange, since no individual national regulations have to be taken into account. This reduces the overall effort of organisations which act internationally.
For more than 30 years, SEEBURGER has been an expert for the secure exchange of data between national and international customers and their trading partners. SEEBURGER products are used worldwide by more than 10,000 customers locally or as cloud services.
We can help you – Please feel free to contact us!