The European Union's (EU) GDPR came into force on May 25, 2018 and is aimed at giving a greater data protection in the member countries of the EU, currently 28 countries, including the United Kingdom. This affects a population in these countries of 508 million people. It is a major change that has affected almost all countries in the world because the GDPR will extend the EU data protection law to all foreign companies processing data of EU residents.
When the EU GDPR came into operation all organizations that process the personally identifiable information of EU residents are required to abide by a number of requirements set out in the GDPR regulations. This also applies to foreign entities that control or process the data relating to EU residents. There are exemptions set out in the regulation:
Image Credit: informationsecuritybuzz.com
1. Organizations found in breach of the Regulation can be fined up to Euros 20 million or four percent of global annual turnover - whichever is the greatest. The cost cost on non compliance far exceeds the cost of ensuring an organization complies with the regulation.
2. Because of the magnitude of the possible penalties for non-compliance and the frequency of cybercrime data breaches that have been occurring worldwide it is imperative that compliance with EU GDPR should be given high priority. It clearly must be high on an organization's board of directors' priorities. The responsibility should by now be prudently and effectively assigned to the risk management board members.
3. It should be noted that this was a regulation of the EU and did not require enabling legislation to be passed by member governments of the EU. IT Governance can help you with updated information by clicking on the link below:
4. The EU GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Non compliance laws will also applies to them if they are dealing with the data of EU members. Trading partners will need to be made aware of this responsibility.
5. The regulation provides for the harmonization of data protecting legislation throughout the EU which makes it simpler for non-European companies to comply with the regulation as they do not have to deal varying laws or regulations in different countries.
6. The implementation of the regulation did not only provide the opportunity for an organization to review its products, policies and procedures, but also to review its overall information technology governance because a breach could easily be the source of a non-compliance issue.
7. The EU Data Protection Regulation contains the following key changes:
8. Development an ongoing action plan for the implementation of training courses, documentation tool kits, data audits and consultancy options within the phase in period, including:
9. If you do not perform a regular penetration test of your information technology systems we recommend that you do so as fraudulent access to your data covered by the GDPR could easily lead to a non compliance event.
If you wish to obtain a copy of Alan Calder's EU GDPR A Pocket Guide you can obtain it from your Amazon store in the country that you live or directly from IT Governance. Here are the links for the United Kingdom, United States and from IT Governance direct: