The European Union's (EU) GDPR comes into force on May 25, 2018 and is aimed at giving a greater data protection in the member countries of the EU, currently 28 countries, including the United Kingdom. This affects a population in these countries of 508 million people. It is a major change that will affect almost all countries in the world because the GDPR will extend the EU data protection law to all foreign companies processing data of EU residents.
When the EU GDPR comes into operation all organizations that process the personally identifiable information of EU residents will be required to abide by a number of requirements set out in the GDPR regulations. This also applies to foreign entities that control or process the data relating to EU residents. There are exemptions set out in the regulation e.g. requirements for law enforcement.
Image Credit: informationsecuritybuzz.com
1. Organizations found in breach of the Regulation can be fined up to Euros 20 million or four percent of global annual turnover - whichever is the greatest. It is clear that the cost on non compliance will far exceed the cost of ensuring an organization complies with the regulation. Taking advantage of the phasing in period is critical so that an organization's products, policies and procedures comply by implementation date of May 25, 2018.
2. Because of the magnitude of the possible penalties for non-compliance and the frequency of cybercrime data breaches that have been occurring worldwide it is imperative that compliance with EU GDPR should be given high priority. It clearly must be high on an organization's board of directors' priorities. The responsibility should now be prudently and effectively assigned to the risk management board members.
3. It should be noted that this is a regulation of the EU and does not require enabling legislation to be passed by member governments of the EU. The implementation date is clear and the mistake should not be made of waiting for a member country's enabling legislation. Full advantage needs to be taken of the lead in time to complete the required training and implementation processes. IT Governance can help you starting with information by clicking on the link below:
4. The EU GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Non compliance laws will also apply to them if they are dealing with the data of EU members. Trading partners will need to be made aware of this responsibility.
5. The regulation provides for the harmonization of data protecting legislation throughout the EU which makes it simpler for non-European companies to comply with the regulation as they do not have to deal varying laws or regulations in different countries.
6. The implementation of the regulation will not only provide the opportunity for an organization to review its products, policies and procedures, but also to review its overall information technology governance because a breach could easily be the source of a non-compliance issue.
7. The EU Data Protection Regulation contains the following key changes:
8. Developing an action plan for the implementation of training courses, documentation tool kits, data audits and consultancy options within the phase in period, including:
9. If you do not perform a regular penetration test of your information technology systems we recommend that you do so as fraudulent access to your data covered by the GDPR could easily lead to a non compliance event.
If you wish to obtain a copy of Alan Calder's EU GDPR A Pocket Guide you can obtain it from your Amazon store in the country that you live or directly from IT Governance. Here are the links for the United Kingdom, United States and from IT Governance direct: