The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and has been described as the most significant overhaul to data protection laws in a generation. The regulation applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe. In replacing the outdated 1995 Data Protection Directive, GDPR recognizes the impact that the Internet and other new technologies have had on the data we hold and how we share it. The European Union is forcing companies to view this as an opportunity to develop and implement data governance, protection and privacy in line with consumer expectations. The Penalties can be severe for non-compliance – up to 20 million Euros or 4% of group worldwide turnover (whichever is greater).
GDPR applies to both data controllers and data processors and penalties can be imposed on one or both parties depending on their degree of responsibility. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. And the data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements.
Whether an organization resides in the EU or merely transmits EU citizen data, global companies are working frantically to comply with the sweeping regulation. Adding to the complication, GDPR effects departments across the enterprise – legal, IT and security – leading to the need to work cross-functionally across the organization.
GDPR outlines the following cyber security requirements:
- Defines lawfulness of processing data to include consent by data subjects, privacy by designing, the right to be forgotten and data portability requirements
- Outlines responsibilities of controllers and processors
- Requires Privacy Impact Assessment and appointment of a data protection officer
- Enforces strict breach notification requirements
This regulation is unprecedented, and it is imperative your organization develop a plan for execution to include people, process and technology. Your security department should assess itself across the six key security components of GDPR and develop a business aligned plan in conjunction with the IT and legal teams.