GDPR is upon us: Are you ready?

With the continued focus on personal information and the privacy rights of individuals, the General Data Protection Regulation (GDPR) officially goes into effect this month and it will certainly have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management.

The GDPR redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.

However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.

Non-compliance consequences

Most countries have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the U.S., a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.

Supervisory authorities are granted investigatory powers, allowing them to investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. These complaints can be submitted to any supervisory authority.

If an organization is found to be overstepping the requirements, supervisory authorities can choose from a variety of corrective powers. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing, as well as force it to report data breaches to the affected data subjects.

Look beyond compliance

The GDPR promises to penalize organizations unable to uphold enhanced rights and freedoms – a risk best managed through an enterprisewide GDPR compliance program.

Leading organizations are extending the breadth of GDPR compliance programs to leverage additional benefits, incuding:

• Consolidating activities into broader information governance programs 

• Embedding information security into the design of business applications and technical infrastructure 

• Improving data protection and privacy practices

• Extending information security's reach within the business

While every organization should judge the risks and rewards of its data protection investments, the GDPR offers a unique opportunity to translate compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities. Although the GDPR is upon us, it is not too late to join in – May sees the start of the journey to ongoing protection of personal information, which will be with us for some time to come.

Steve Durbin is managing director of the Information Security Forum (ISF).

Steve Durbin

Steve Durbin is the Chief Executive of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues.
Formerly at Ernst & Young, Steve has been involved with IPOs, mergers and acquisitions of fast-growth companies across Europe and the USA. Having previously been senior vice president at Gartner, he has advised a number of NASDAQ and NYSE listed global technology companies.
Steve has served as a Digital 50 advisory committee member in the United States, a body established to improve the talent pool for Fortune 500 boards around cyber security and information governance and he has been ranked as one of the top 10 individuals shaping the way that organizations and leaders approach information security careers. He has also been featured on the top 20 most influential list of leaders whose companies have a vision that shapes the conceptual landscape of their respective industries.

Steve is a Chartered Marketer, a Fellow of the Chartered Institute of Marketing, Forbes Business Council Member and a visiting lecturer at Henley Business School where he speaks on the role of the Board in Cybersecurity. He is a regular contributor and attendee at the Astana Club, where he provides expert input on the top risks for Eurasia, emerging global cyber trends and digital totalitarianism.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.