Learn how LogiSense can provide you with the tools to make compliance easier. May 25th will mark a turning point in data privacy around the world to comply with Europe’s General Data Protection Regulation.
This regulation doesn’t just apply to European companies, but rather to all organizations with a presence in the European Union and those that process personal information of its citizens.
LogiSense has built compliance into the EngageIP platform by design, preparing its partners to meet the new standards conveniently and on time. Truthfully, it was a small step to reach GDPR compliance because the EngageIP platform already exceeded data processing standards for the Payment Card Industry Data Security Standard on which GDPR draws heavily.
The Engage IP platform complies with the GDPR legislation to an extent that our partners don’t need to revise their billing platform.
Review of the GDPR
The GDPR will change the way that organizations process personally identifiable information (PII), levying fines against those that fail to comply.
Those fines can reach 4% of an organization’s revenue, or €20 million. This makes it unaffordable to avoid compliance with the new legislation for most companies, but also cost-effective to get ahead of the curve.
All companies with a European or international presence will need to adopt this policy, paying particular attention to the Payment Card Industry Data Security Standard (PCI DSS), which has been enforced since 2006. Major credit card brands—Visa, American Express, JCB, MasterCard, and Discover—created an independent body to manage PCI DSS compliance.
Best practices for GDPR compliance build on existing best practices for PCI compliance, making it a natural evolution for the EngageIP platform. Organizations already following PCI regulations are positioned well to continue protecting consumer data privacy.
LogiSense already complies with PCI DSS regulation, putting the EngageIP platform—and LogiSense’s partners—ahead of the curve for May 25th.
How LogiSense Complies with GDPR
The General Data Protection Regulation has been long anticipated here at LogiSense, and we’ve been taking the time to build on EngageIP’s PCI Level 1 Certification to meet GDPR best practices with the overarching philosophy, “data protection by design.”
GDPR requires all European companies with more than 250 employees to fulfill the requirements. However, EngageIP meets both PCI and GDPR standards for billing and data processing so that customers don’t need to meet them independently with legacy systems.
EngageIP’s users can expect breach notifications with audit logs to investigate activity, encrypted data across the network, and robust log management records specifically for organizations to achieve compliance.
This is data protection by design.
LogiSense’s Core Pillars of GDPR Compliance
Access Management: EngageIP provides our partners with the access they need for any and all customer information, including network encryption and audit logs. LogiSense never retrieves your customer’s data without that customer’s permission.
Right to Access: The Right to Access grants data subjects the ability to request their personal information held by the controller (LogiSense’s partners). EngageIP now lets you use granular permissions for system access to meet such requests—and only by authorized roles you have set in EngageIP itself.
EngageIP now provides an Account Personal Profile under the Accounts and Roles menu, which lets LogiSense’s partners see reports based on a spectrum of personally identifiable information. This can be exported in an XML or CSV file at the controller’s discretion, and sending the report to the data subject remains entirely in the hands of the controller.
Right to Be Forgotten: EngageIP includes a feature to purge or anonymize accounts and related data for straightforward compliance with the Right to Be Forgotten. All sensitive information associated with the account is also purged or anonymized (only to denote that information was once held but is no longer accessible, as per any request that might occur).
This compliance system makes the account holder’s identity inscrutable even if an authorized entity can access multiple pieces of anonymized data. The process can follow any of these levels according to the need of the controller:
- Account Level Data: all personally identifiable information related to account is purged.
- Role Profile Answers: all role profile data is purged.
- Audit Log: audit information and corresponding personally identifiable information is purged.
- Event Log: all event information (recorded actions such as site visits) is purged.
Storage Selection: our partners decide on the region where their data is stored and secured. That information is never migrated or duplicated beyond that region of choice without the permission of the customer.
Content Security: LogiSense’s partners get to decide on how and where their data is secured. EngageIP provides robust encryption for all sensitive personally identifiable financial information (PII and PIFI) in transit.
Content Disclosure: LogiSense never discloses customer information outside cases of legal compliance or valid, binding orders from a governmental or regulatory body. If this does happen, then LogiSense notifies the customer in advance to provide enough time to obtain protection—unless legally barred from doing so.
Security Measures: LogiSense’s security control mechanisms and processes follow the highest global standards in data protection and privacy, validated by several independent appraisals.
Implementing a GDPR Compliance Plan with LogiSense
Audit (Taking Stock)
Every company must first conduct an audit on its own customer database and related information. The key mechanisms to identify are:
- A clearly defined record of personally identifiable information and its source.
- A codified policy and process for which information is kept and why it is needed.
- Clear mechanisms for individuals to withdraw their personal data.
- Policies outlining the length of time that data will be kept.
First Steps to Fulfill GDPR
Data Protection Impact Assessment
The audit is an immediate assessment of your organization’s capability to fulfill the GDPR to inform executive decisions. A Data Protection Impact Assessment, on the other hand, is the next step.
It involves legal, IT, and security departments, scrutinizing the entire organization’s means of sourcing, securing, and protecting personally identifiable data.
Assign a Data Privacy Officer
Conducting an impact assessment might only be possible with an employee dedicated to enforcing it. While it’s not wrong to assume that employees have your organization’s best interests at heart, they each have pre-existing responsibilities and areas of expertise.
The new GDPR legislation may in fact call for a new position in every enterprise dedicated to compliance with new data privacy and protection legislation—someone who reports directly to the body of leadership so that the organization can make informed decisions that reshape its own processes.
Adopt “Data Protection by Design” Policy
The European Union has made available article 25 of the GDPR, which companies are encouraged to adopt into their own policies.
This will give organizations a clear direction to implement any necessary audits and changes, as well as providing the Data Privacy Officer with a codified impetus to conduct work that supersedes everyday operations.
Implementing GDPR Regulations and Practice
There are several things that we recommend LogiSense’s customers do to prepare for the new legislation on May 25th, listed below.
Distribute Internal Literature and Train Employees
Entire organizations should read about GDPR compliance, but it is critical that organizations distribute related literature to IT, security, and legal departments, as well as executive teams.
This allows the experts to incorporate GDPR compliance into their designs, new processes, and conduct ongoing department and product audits to stay on top of legal compliance.
It also lets company and department leaders facilitate employee training in data protection by design. A single Data Protection Officer might be able to do this at regional companies, but national and multinational organizations will require more than one person to disseminate knowledge efficiently.
Apply Security Notification Procedures
The GDPR calls for organizations to notify customers affected by data breaches within 72 hours. EngageIP covers these notifications and provides activity logs for investigations that organizations need to conduct immediately upon discovering any security-related incidents.
Set Intervals for Recurring Audits
Legal compliance calls for a pattern of recurring, proactive investigation and maintenance to processes involving the storage of personal identification.
Targeted audits might be conducted every every month. Compliance checklists can also be incorporated into the workflow of all employees involved with the gathering, transmission, and storage of PII.
While a detailed data protection impact assessment may take much longer—and therefore require longer intervals for formal assessments—the most common and easily accessible information about security and process compliance can be verified on a frequent basis.
How LogiSense Processes and Protects Personally Identifiable Financial Information
EngageIP protects personally identifiable financial information through a series of interconnected features that support a standard of data protection by design.
Hosted Payment Page
EngageIP’s hosted payment page meets and exceeds PCI compliance by encrypting, storing, and securing credit card data to meet PCI billing compliance. The billing platform relieves partners from having to develop their own internal, proprietary software to meet compliance directly.
Roles and Permissions
EngageIP allows LogiSense’s partners to assign roles with specific permissions. This restricts access to data only to those who need it for specific purposes at specific moments, leveraging the restriction of access as its own layer of security.
This fulfills article 25 of the GDPR, “data protection by design.”
EngageIP provides SOAP and REST API support for integration with CRM, or customer relationship management software (often where PII or PIFI rests).
EngageIP also provides SSL-based authentication for SOAP and REST, securing all XML-based messages. API requests and transactions must originate from an authorized role with username and password authentication on top of that, adding extra layers of security.
SOC Type 2 Report
LogiSense has achieved SOC Type 2 certification by the American Institute of Certified Public Accountants’ standard for controls.
The certification itself comes from an accredited third-party auditing and accounting firm that has evaluated EngageIP’s security and control mechanisms to protect consumer data according to these criteria:
- Engage IP’s controls protect against unauthorized digital and physical access.
- EngageIP’s processing is accurate, timely, and never unauthorized.
- EngageIP assumes data confidentiality while processing.
- EngageIP meets best practices for collecting, processing, and retaining personal information according to the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.
The SOC Type 2 Report certifies that the EngageIP platform has been tested thoroughly over a certain length of time for the elements above.
SOC Type 2 certification works hand-in-hand with PCI Level 1 certification, verifying that EngageIP meets the security requirements to process over six million transactions per year. LogiSense undergoes an annual audit conducted by an authorized PCI auditor and quarterly PCI scans conducted by an approved scanning vendor.
PCI Level 1 is the highest level of compliance certification that can be achieved.
This gives LogiSense has the ability to:
- Evaluate CSP’s internal control effectiveness for financial reporting.
- Perform critical risk assessments for CSPs.
- Describe how a CSP’s system works to meet customer needs.
- Generate an estimated fairness of the CSP’s system and structure.
Ask the team at LogiSense how you can prepare for the General Data Protection Regulation legislation to take effect on May 25