Taking place in May 2018, the General Data Protection Regulation also known as GDPR sets a new standard for data privacy and security across the European Union (EU). Much has been made of the law establishing data privacy as a fundamental right, and its governance and security requirements.
Over the course of the next few weeks, we will be taking an in-depth look at the mandate’s articles and offering insight into how you can comply.
Today let’s take a look at what sets GDPR apart from other standards and regulations, namely its expanded scope and reach.
GDPR will affect any organization that offers goods or services, or whose activity monitors the behavior of individuals in the EU; it doesn’t matter if the organization resides and processes data within the EU or not. Multi-national organizations across the world – from Australia to the United States – that collect EU subjects’ data will need to prepare for the new mandate. Additionally, as organizations collaborate and partner, GDPR holds them responsible for their data’s privacy even as it passes outside of their control. In effect, GDPR increases the number of stakeholders involved and the level of due diligence each party must perform to what can already be a complex web of relationships that span the globe.
What is more, GDPR broadens the definition of ‘personal data’. Any piece of information that can be combined with another data point (or collection of data points) to identify an individual must be protected following GDPR’s mandates. Such a broad definition includes pieces of information such as online identifiers, genetic data or location metadata – data that organizations are unaccustomed to protecting. This will certainly impact how organizations protect their data currently and will affect how they do business while protecting this data going forward.
For all of this data, GDPR asks that protection be by design as a default; that is data privacy must be a consideration from the moment an operation is conceived. Security in service of privacy must be incorporated into the very fabric and design of an organization and its operations as the default setting. Under GDPR, security is no longer an option; it is a requirement.
GDPR’s penalties are severe. In the event of a breach, organizations will be required to notify both the supervisory authority in their jurisdiction, and the customers whose data was affected. And, when breached data poses a risk to data subjects’ privacy, organizations will be subject to fines that have the potential to rise to as high as €20 million or 4% of annual worldwide profit – whichever is greater.
The new penalty regime fundamentally changes the data security cost/benefit equation for any organization with a presence – real or virtual – in the EU.
For as daunting as it may seem, you won’t have to face it alone. On this blog, we’ve already shared how to break the process into manageable chunks via our 6 step approach to tackling GDPR. Our experts go into these 6 steps – in partnership with ISC2 – in a joint webinar entitled “6 Steps To GDPR Compliance”. Over the next few weeks, we’ll dig deeper into topics such as the ‘Right to be Forgotten’, data integrity obligations, due diligence requirements, and more. Stay tuned to this blog each week for a new installment in our GDPR series.
That said, if you’re anxious to get started on your GDPR preparation, you can find more information, white papers and ebooks on GDPR compliance here: https://safenet.gemalto.com/gdpr