One year of General Data Protection Regulation (GDPR) – A current view
On 25 May 2018, the EU General Data Protection Regulation (GDPR) went live after a 2-year transition phase. One year on, it’s time for an interim assessment from a B2B integration perspective:
GDPR requires that companies and organizations guarantee the security of business and customer data of individuals – the so called Personally Identifiable Information (PII). The standards of data protection have significantly increased and are taken very seriously, especially in Germany. Companies which do not comply with GDPR are now fined. This applies to large, international companies as well as small firms. The penalties are considerable and may also apply to those involved, e.g. managing directors, board members, data protection officers, CISO etc.
Different Handling Within the EU
GDPR was intended to lead to a harmonization of European data protection law for handling personal data.
The perception is that the risks and the data protection impact assessments required by the GDPR in Article 35 are not all treated in the same way across EU member states:
At SEEBURGER the requests for an appendix to an existing maintenance and support contract with an order processing contract come mostly (90%+) from German SEEBURGER customers; this means that Germany is clearly overrepresented from a statistical point of view. Discussions on formal contractual issues are also generally much more intensive than if the contract is discussed with a customer outside of Germany.
Interestingly, the nature of the data at stake and the Technical and Organizational Measures (TOMs) for this data is often not really considered at all.
Exchange of Personal Data Between Companies
The secure exchange of personal data across company boundaries is still not as well protected as it ought to be.
Basically, regular B2B data exchange between companies involves the following variants:
- System-to-System (upload of batch files, scheduled transfers)
- System-to-Human (distribution of scheduled reports or other regularly used data)
- Human-to-Human (ad hoc emails or manual FTP uploads)
A number of precautionary measures are still not taken with regards to addressing:
- Encryption and pseudonymisation of data
- Ensuring confidentiality and integrity
- Availability of systems and services
- Recovery after a failure
Additionally, an astonishing number of FTP channels, unencrypted emails and unauthorized personal Internet file services such as Dropbox, Hightail etc. are still being used – all of which contribute to the risk of contravening GDPR. A Managed File Transfer (MFT) solution is the answer to such problems.
Critical business data must not only arrive at the right place or at the right addressee, but also at the right time. This must also be comprehensible and verifiable. Therefore, only a combination of appropriate organizational and technical measures can help align with GDPR.
Take the GDPR issue seriously in any case. If you are not yet using a Managed File Transfer (MFT) solution, then you probably need to take action when exchanging data beyond the company firewall.
How SEEBURGER supports you in the safe handling of personal identifiable data (PII) can be found here. Download the free SEEBURGER brochure ‘Become GDPR-capable with your BIS6 installation!’
Get in contact with us:
Please enter details about your project in the message section so we can direct your inquiry to the right consultant.
Written by: Frank StegmuellerFrank Stegmüller is one of the two corporate information security officers at SEEBURGER and has been with the company since 2008. He has over 25 years of experience in service, support and information security for Enterprise Application Integration, EDI, B2B, MFT, API, ITSM and digital transformation - both on in-house systems and from the cloud. He is involved in the ISO/IEC 27001, ISAE 3402 (SOC 1) Type 2 and TISAX certification for SEEBURGER Cloud Services and knows all about the intricacies of compliant data centre operations in international environments.