This blog post will give you an insight of the new European Union General Data Protection Regulation (GDPR) from the European Parliament & Council, and how this will impact Nodes and the digital and mobile industry.
Briefly about the new data protection law
The data protection law will come into force 25 May 2018. These are the most important:
- Expansions on the personal data pool, this will now include IP addresses, cookies and other generic data that have or are assigned to the user
- Increased fines, penalties will start at €10m or 2% of the gross revenue and all the way up to €20m or 4% of gross revenue
- Coverage of outside EU countries if data is being transferred or stored within the EU
- Profiling and targeting of big data will likely require explicit consent from each user
- Data Protection Officers, both controllers, and processors must assign a designated PDO
- When breaches happen then it should be notified to the DPO within 72 hours
- Processing of Personal data may require a consent mechanism for collection and processing data
- What defines a breach? “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
How will this impact corporations and service providers
Corporations will have to be prepared to be more aware of who is handling their data. If corporations have public API or other services then the requester will still be the data controller. The challenge will be that the corporation now has opened a door to their systems where only traffic supposes to go one way.
This essentially means that they need to make sure that their security is up to date and not just rely on old none updated systems. This also means that we probably will see higher security screening before corporations allow third parties to request and amend data on their server.
Digital/Mobile agencies already see quite a challenge of getting a hold of corporations API and services as it stands today. Adding this layer on top will not make the challenge easier.
Judopay and Service providers
We asked Judopay two questions about how service providers such as themselves will react:
1. What does Judo do to keep their stack and protocols ready for GDPR?
“At Judopay, security and strong data management processes are core to our DNA. In being a processor of financial transactions, we collect different types of data that are covered by the DPA as is necessary to provide our advanced fraud detection technology and to create accounts, including customer data, consumer data, and employee data.”
“As a well-established global payments company, we have in practice the most advanced data controls on all EU and non-EU personal data points that we collect and process, tightly limiting access to our databases that store this information.
For just a few examples of what we have in place, we run a PCI Level 1 data environment and have strict security controls from code creation to production with regular external penetration tests and security and risk assessments conducted by industry leaders.”
2. Does Judopay see any challenges about the new regulations from a service providers point of view?
“In the U.S., we’ve already seen a consistent movement of businesses to minimize the data that they process and store, often by working with third parties like Judopay who have data security at the heart of their business.”
“To meet the new GDPR requirements, many companies will need to dramatically upgrade how they collect, store and process information and increase their investment and focus on data protection.
They will need to take a much more transparent approach to informing consumers of the data they collect, and those with the best focus on security will limit that data to the least possible to provide the best experience.
For example, does the company really need to capture the customer’s full address or geo-location?”
For more information about Judopay please visit their website here
Nodes and GDPR?
Nodes use Amazon Web Services (AWS) as our hosting solution. This means that Nodes are considered Data Controllers (in the sense of Directive 95/46/EC). AWS is the Data Controllers of the physical data storage where Nodes will be Data Controllers on an Application layer.
This means that if someone walks into Amazons storage and steals a server or hard drive then Amazon will be fined. Nodes will be responsible for making sure new security patches are laid out around the frameworks and stack that we are using.
We strive to always follow the best practices of AWS, all our servers are placed in a VPC (Virtual Private Cloud), with strict access rules.
Access to our servers are secured with 4096-bit encrypted keys, and a password issued to each Operations member. We are logging as much as possible, web requests, access etc. On external systems, so we always have a digital footprint outside the servers, to know what is going on, and perform regular audits of these logs.
All members of our Operations team is trained to handle data and servers in a secure way, and will always keep up with latest thread analyses and best practices around security.
All systems will be patched regularly through Puppet. Our data is only located in EU (AWS: eu-west-1 Ireland – Hetzner: Germany).
Nodes currently use Lavarel 5.3 as our server framework of choice. Lavarel frequently updates their frameworks, Nodes are always on the forefront of these updates and uses part of our clients’ maintenance package (in consent with them) to make sure all patches and frameworks are up to date.
Nodes have an operations team based in our Copenhagen office that daily monitors our stack and hosting.
For any more information please don’t hesitate to contact us at Nodes Agency
Oliver Wang Hansen
Technical Director UK