The General Data Protection Regulation (GDPR) is a piece of legislation that was agreed on in April 2016 and will be effective globally from the 25th May 2018. This single Europe-wide regulation removes the complexities that businesses currently face around complying with multiple local data privacy laws across the EU. Currently, each of the EU states interprets the existing rules in their own way, making compliance across the region complex and expensive. GDPR unifies EU data protection legislation, simplifying processes and legal obligations for any country dealing with more than one EU state.
However, the scope of GDPR substantially increases the obligations of firms dealing with EU citizens’ personally identifiable information (PII). The penalties for non-compliance are substantial, the primary effect of which will be to raise data protection as a business risk directly into the boardroom.
Much of GDPR relates to the processes and legislative framework for data protection, which has limited impact on technology strategy. However, some of the key features of GDPR have a substantial impact on security requirements, which will translate into both process and technology changes.
Article 32 of the General Data Protection Regulation (GDPR) requires Data Controllers and Data Processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.
Data security measures should, at a minimum, allow:
- Pseudonymizing or encrypting personal data
- Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services
- Restoring the availability and access to personal data, in the event of a physical or technical security breach
- Testing and evaluating the effectiveness of technical and organizational measures
GDPR does not stipulate an exhaustive list of controls that organizations should implement to be compliant. Consequently, for the many companies that must comply with the upcoming regulation, the best way to prepare is to implement a solid data protection strategy that will protect against loss of data whether through malicious activities or inadvertent errors.
All of this sounds great but can be overwhelming, especially for small to medium-size businesses that don’t have legal counsel professionals or that might not be aware of this new piece of legislation.
If you are still in the dark, do not panic! GDPR specialist Gary Hibberd will cut through the GDPR verbiage and scaremongering and give you practical advice on how to demonstrate compliance. I invite you to listen to the recorded webinar:
I also encourage you to become familiar with GDPR if you haven’t done so already. There are plenty of resources available from legal firms like Agenci Information Security or from https://gdpr-info.eu.