The European Union has introduced a framework of data protection regulations for securing the private information which is dealt with by various organizations such as banks, telecom companies, airlines and other service provision companies. The GDPR is intended to be enforced from 25th May 2018, from when non-compliant organizations will face heavy fines. The GDPR will apply to both companies within the European Union, as well to companies outside the European Union under certain conditions. As a complement to GDPR, member states are required to adopt national data protection laws to accompany and abide by the GDPR.
In accordance with the GDPR organizations which process the personal information will be the designated controller of the personal data it processes, in the course of provisioning its services. As the data controller, the organization is required to decide the purposes and means with regard to this processing, and is responsible for the treatment security and accountability of this personal data. All organizations functioning as partners or as service providers and have access to or process personal data and accordingly act as a data processor will be included in the scope of the data controller. The data controller will provide specific guidance on how the personal information processed will have to be secured.
GDPR Consulting and Implementation
Crossbow Labs consults on the industry best practices for implementation of security controls to achieve the objectives of GDPR. This includes implementation of defense in depth practices spanning network architecture, application security, IT infrastructure security, policies and procedures in maintaining the security of the data.
Website – http://www.eugdpr.org/
Regulation – http://www.eugdpr.org/the-regulation.html
SLA – Possession, Use, Distribution of PII
If personal data is processed on behalf of the data controller, it is required to include an SLA which elaborates all the techniques, processes and responsibilities which will be followed by the organizations to abide by the GDPR. The concluding of such an agreement is a legal obligation and the agreement can be amended to suit the specific situation in order to fit the cooperation with the data controller and the service provider/partner. This SLA will be applicable on all the data which is processed on behalf of the data controller.
To facilitate the data controller’s understanding on the practical ramifications of such agreements, partners and service providers must facilitate access and know how to organization security policies, points of contact and how communication is handled, demonstration on how data security technologies such as data encryption are effectively implemented.