One year of General Data Protection Regulation (GDPR) – A current view

On 25 May 2018, the EU General Data Protection Regulation (GDPR) went live after a 2-year transition phase. One year on, it’s time for an interim assessment from a B2B integration perspective:

First Penalties

GDPR requires that companies and organizations guarantee the security of business and customer data of individuals – the so called Personally Identifiable Information (PII). The standards of data protection have significantly increased and are taken very seriously, especially in Germany. Companies which do not comply with GDPR are now fined. This applies to large, international companies as well as small firms. The penalties are considerable and may also apply to those involved, e.g. managing directors, board members, data protection officers, CISO etc.

Different Handling Within the EU

GDPR was intended to lead to a harmonization of European data protection law for handling personal data.

The perception is that the risks and the data protection impact assessments required by the GDPR in Article 35 are not all treated in the same way across EU member states:

At SEEBURGER the requests for an appendix to an existing maintenance and support contract with an order processing contract come mostly (90%+) from German SEEBURGER customers; this means that Germany is clearly overrepresented from a statistical point of view. Discussions on formal contractual issues are also generally much more intensive than if the contract is discussed with a customer outside of Germany.

Interestingly, the nature of the data at stake and the Technical and Organizational Measures (TOMs) for this data is often not really considered at all.

Exchange of Personal Data Between Companies

The secure exchange of personal data across company boundaries is still not as well protected as it ought to be.

Basically, regular B2B data exchange between companies involves the following variants:

• System-to-System (upload of batch files, scheduled transfers)
• System-to-Human (distribution of scheduled reports or other regularly used data)
• Human-to-Human (ad hoc emails or manual FTP uploads)

A number of precautionary measures are still not taken with regards to addressing:

• Encryption and pseudonymisation of data
• Ensuring confidentiality and integrity
• Availability of systems and services
• Recovery after a failure
• Traceability

Additionally, an astonishing number of FTP channels, unencrypted emails and unauthorized personal Internet file services such as Dropbox, Hightail etc. are still being used – all of which contribute to the risk of contravening GDPR. A Managed File Transfer (MFT) solution is the answer to such problems.

Critical business data must not only arrive at the right place or at the right addressee, but also at the right time. This must also be comprehensible and verifiable. Therefore, only a combination of appropriate organizational and technical measures can help align with GDPR.

Bottom line

Take the GDPR issue seriously in any case. If you are not yet using a Managed File Transfer (MFT) solution, then you probably need to take action when exchanging data beyond the company firewall.