Intelligent CIO Europe Issue 62 | Page 35

EDITOR ’ S QUESTION
RICARDO FERREIRA , EMEA FIELD CISO , FORTINET

The EU General Data Protection Regulation ( GDPR ) is a comprehensive framework of data protection rules put in place to protect the personal data of individuals within the European Economic Area ( EEA ). It applies to any organisation – regardless of location – that processes the personal data of individuals within the EEA . This means that even companies based outside the EU must comply with the GDPR if they process the personal data of individuals within the EEA .

Regarding cross-border payments and customer data , the GDPR helps to protect this data by imposing strict obligations on controllers and processors to ensure that personal data is secured . For instance , controllers are required to appoint a representative in the EEA ( if they are not established there ) to ensure that someone within the EEA is responsible for GDPR compliance . This is especially important for cross-border payments and customer data , as having a representative within the EEA ensures that there is a point of contact for data protection authorities and data subjects .
On the technical side , this is achieved through organisational measures and the pseudonymisation of data where appropriate . For example , controllers and processors are required to conduct Data Protection Impact Assessments ( DPIAs ) to identify and mitigate risks to the rights and freedoms of data subjects . This can be particularly important when dealing with crossborder processing as it helps to ensure that the data protection risks are identified and addressed .
The GDPR also establishes the concept of a ‘ lead supervisory authority ’ to ensure that there is a single point of contact for data protection authorities and data subjects . The lead supervisory authority is the data protection authority that is competent to supervise the controller or processor in question , which is especially relevant for situations where multiple controllers or processors are operating in different countries . This helps to ensure that there is a consistent and coordinated approach to data protection concerning that controller or processor .
In addition , the GDPR provides for rights individuals , such as the right to data portability and the right to be forgotten , which can be especially important when dealing with cross-border processing . These rights help to ensure that individuals have control over their data and can help facilitate the movement of personal data between countries .
Guidelines 8 and 9 / 2022 are providing more clarity to compliance on cross-border payments and customer data , and regulators will enforce GDPR rules . Companies will have to be accountable to protect their customers data if they are dealing with the EU ’ s customers or data subjects . Organisations need to understand their responsibilities and comply with the GDPR when processing the personal data of individuals within the EEA to avoid penalties and ensure that personal data is properly protected , as we have seen with the latest € 390 million fine .
Companies based outside the EU must comply with the GDPR if they process the personal data of individuals within the EEA .
www . intelligentcio . com INTELLIGENTCIO EUROPE 35