Overview of the GDPR
The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.
In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world. The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
For organizations – in terms of the key changes with GDPR that are super imposed over the EU Data Protection Directives are depicted below
Implications to business
Organizations need to begin by reviewing existing privacy and data management practices. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm. The supervisory authority can fine upto 20,000,000 euro (or) 4% of total annual global turnover – whichever is greater for the most serious infringements. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euro or 2% of global turnover.
According to Trend Micro’s UK study1regarding GDPR
- 50% of the UK IT decision makers are unaware of the impeding legislation
- 25% adamant that compliance is not achievable
CEO’s guidance to ensure GDPR readiness
Chief business executives now need to react immediately and simply follow the below steps (as depicted in the diagram). The important first step is to figure-out the types of personal data [such as PII (Personal Identifiable Information), PHI (Personal Health Information), etc.] that the organization collects, process and store – most importantly where it resides.
The CEO can propose the governing team to define information security & privacy management mechanism within their existing frameworks such as ISO/IEC 27001:2013 Security Standard, NIST Cybersecurity framework, etc. He need to know the risks based on the outcome of the security controls that are in-place with various security vendor technologies in the process of identification, prevention, detection, isolation and remediation process of the data breaches associated with customer’s personal data.
Another key-aspect that CEO shouldn’t have to miss is on the ‘Mandatory breach notification’ in establishing the process mechanism in-place that takes care of this element. Security is continuous process and this has to get reviewed periodically across business functions.
Most CEO’s would seek help from security consulting organizations towards this journey and to help their teams in safeguarding the customer data and business imperatives.