With the continued focus on personal information and the privacy rights of individuals, the General Data Protection Regulation (GDPR) officially goes into effect this month and it will certainly have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management.
The GDPR redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.
However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.
Most countries have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the U.S., a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.
Supervisory authorities are granted investigatory powers, allowing them to investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. These complaints can be submitted to any supervisory authority.
If an organization is found to be overstepping the requirements, supervisory authorities can choose from a variety of corrective powers. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing, as well as force it to report data breaches to the affected data subjects.
Look beyond compliance
The GDPR promises to penalize organizations unable to uphold enhanced rights and freedoms – a risk best managed through an enterprisewide GDPR compliance program.
Leading organizations are extending the breadth of GDPR compliance programs to leverage additional benefits, incuding:
• Consolidating activities into broader information governance programs
• Embedding information security into the design of business applications and technical infrastructure
• Improving data protection and privacy practices
• Extending information security’s reach within the business
While every organization should judge the risks and rewards of its data protection investments, the GDPR offers a unique opportunity to translate compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities. Although the GDPR is upon us, it is not too late to join in – May sees the start of the journey to ongoing protection of personal information, which will be with us for some time to come.
Steve Durbin is managing director of the Information Security Forum (ISF).