Interview with Karl Alles
Karl Alles heads Security Management for Worldline. He joined us in 1989.
Worldline processes personal data both for internal purposes and for its customers. In this context, what organizational and security measures have we put in place to protect said data?
In terms of organizational measures, each Worldline region has appointed a Data Protection Officer who supports the regional line management in the deployment and maintenance of required technical and organizational measures. Their tasks include, among others:
Privacy impact assessments;
Tracking of the completeness of the required documentation related to the processing of privacy data;
Assurance of regular performance of data protection trainings for all employees;
Inclusion of data protection clauses in contracts with suppliers and customers;
And providing requests for feedback from customers or authorities related to data protection.
On the technical side, in order to ensure confidentiality, integrity and availability of personal data, access controls, both for physical and logical security, to that information are in place and regularly monitored. The systems and applications that process, store and transmit personal data are hardened according to documented standards, including virus protection, known security vulnerabilities, secure coding, logging and monitoring. Additionally, information is backed up on regular intervals to ensure availability in case of incidents.
Given the level of sensitivity of the aforementioned data, Worldline is globally recognized as a trusted third party. Can you tell us more about this status?
Worldline successfully passes demanding external audits on a regular basis. This proves our compliance with internationally recognized security standards such as PCI DSS*. Said standards are known beyond pure security communities since they embody effectiveness in terms of securing sensitive information. This reflects positively on our reputation as a trusted third party, able to protect efficiently and effectively large amounts of sensitive information. We also provide the right level of assurance to our customers by giving them access to perform audits. These audits help us to continuously improve our protection level in line with the trust level that we need to maintain in order to remain successful and competitive in highly regulated business sectors.
As a trusted third party, what kind of commitments have we made towards the treatment of personal data?
The baseline is always the applicable data protection legislation to which Worldline commits to adhere to. Beyond that, it is determined by the specific agreements made between customers, owners of the data, and Worldline, as the third party processor. Each customer has his own risk tolerance, not only determined by the legislation in place but also by internal risk factors. They perfectly know which risks they need to mitigate especially when it comes to third parties involvement. The strict application of information security standards, including annual audits, supports these commitments but can also create a risk. In cases where the security baseline is kept in agreement with customers, specific attention needs to be put on response capabilities to any kind of incident in order to quickly and professionally contain potential reputational damage impacting Worldline as a trusted third party.
Besides data protection, what advantages can our clients expect from our role as a trusted third party?
In addition to protecting our customers’ valuable information in an efficient and effective way, we help them in reducing their efforts when it comes to the identification of new and ever changing threats, the application of a broad range of required security measures and the required recurring audits to secure a good level of assurance.
Thank you for your time today, Karl. I will leave you with one final question: if you could invent a new innovative solution to help with one of your daily tasks, in your professional and/or private life, what would it be and why?
A solution which would support me in managing my day to day agenda in a proactive way, also taking into account my needs and preferences in terms of work life balance.
* Payment Card Industry Data Security Standard