Interview with Lëtzebuerger Gemengen, translation by itrust consulting. On 28 May 2018, the General Data Protection Regulation (GDPR) came into force in the EU. Three and a half years later, many organisations are slow to comply, considering it too complex. For Carlo Harpes, the situation is worrying. The Managing Director of itrust consulting recommends PIMS, a Privacy Information Management System, helping companies in order to comply with the GDPR requirements. Explanations. What is a PIMS? A ‘privacy information management system’, abbreviated ‘PIMS’ even in French, is an ‘information security management system that manages the protection of privacy as potentially affected by the processing of personal data’. Personally, this is what I would have called a ‘management system to protect personally identifiable information’ and I would present it as a way to comply with the GDPR. To implement this, there are 1,001 solutions, usually valid for small organisations where data protection is not the primary concern. But for the past 26 months there has been one PIMS, which has been described so precisely that organisation can be certified on this basis, the one documented in ISO/IEC 27701. Who needs it? 3,5 years was not enough time for most organisations to comply with the GDPR. How many have not appointed a DPO (although this is a legal requirement for any public entity)? How many do not have a register of processing that complies with the requirements? How many cannot prove to the CNPD their compliance with the principles of the GDPR, including the one requiring ‘appropriate technical and organisational measures’? Faced with the difficulty of knowing what is appropriate and how to demonstrate it, leaders (policy makers, mayors, heads of administration, CEOs and manging directors), often give up and hide behind the non-compliance of their neighbours. From my observations, this situation is worrying, and only the CNPD, which has the obligation to sanction, should be aware of this state. All the organisations involved here would have benefited from this PIMS. Who defined this PIMS? The Luxembourgish authority ILNAS, which I represented at ISO in multiple expert meetings dedicated to this standard since 2014, was arguing with its European partners for a fast and fully GDPR compatible standard. To support compliance with these requirements, we have made numerous suggestions for improvements to the overly complicated numbering and certain overly cumbersome wording. In France, the CNIL has welcomed its participation and encourages the adoption… Read more »

Dr Carlo Harpes to explain the potential of the EU Certification initiative, the role of regulators and public procurement to require certification, the pitfalls in certification such as with the LU CARPA initiative, the need for collaboration among all actors, the need to learn and improve ICT development lifecycle and testing, the danger of dependency after mergers of today’s certification authorities and the importance to care about ‘high’ certification that should stay feasible for innovative company, not only for market leaders.

An SES-driven consortium that seeks to develop a satellite-terrestrial quantum communication infrastructure and the roadmap for wider European integration, setting the path for next-generation cybersecurity. To design the LuxQCI, Luxembourg has put in place a consortium comprising InCert, itrust consulting, LuxConnect, LuxTrust and the University of Luxembourg (SnT), that is led by SES’s fully owned affiliate SES Techcom.