Since May 2018, GDPR is the relevant legislation in the EU (plus Norway and Switzerland=EEA), requiring companies doing business in this geographic area to employ state-of-art technical and organisational measures to ensure data security and privacy. These measures include monitoring, alerts, audit trails, user rights management, encryption, data integrity, resilience of systems and services, etc., independent of technology (e.g. cloud) or line of business.
Usually, the GDPR is more demanding than other (older) frameworks, and overlaps quite a bit with PCI and other regulations/certifications:
- Identify sensitive data
- Reduction of the amount of sensitive data
- Security of the data you keep
- Limit access
- Log access
- Assessment for compliance
- Preparation to respond to data breaches
Differences between GDPR and PCI:
- Consequences of noncompliance
- PCI DSS is an independent standard, the GDPR is enforced by any government authority
- Scope: cardholder data vs. all personal data in general
- Who's data: every cardholder vs. citizens of the EEA
Although tyntec has not been certified according to ISO 27001 or the "BSI Grundschutz" we have been audited on-site by some of our customers without major findings (Porsche, WebId Solutions, DAB bank).
For more information about tyntec’s GDPR compliance, please check our Security and GDPR Guide here.