The EU General Data Protection Regulation (GDPR) goes into effect May 25, 2018, and much like in the months approaching Y2K nearly two decades ago, many organizations are still scrambling to fully understand its impact, relevance, and scope. GDPR is a unified set of laws that create stricter regulations for EU Subject data along with steeper penalties for non-compliance than the previous EU Data Privacy Directive it replaces. Some organizations may have to make sweeping changes to how they process and secure EU Subject data.
Organizations impacted by GDPR fall into any one of these three categories:
- Organizations that are based in the EU (because at a minimum they are handling the data of their employees)
- Organizations that offers goods and/or services to EU Subjects
- Organizations that monitor EU Subject data
That is a pretty wide net, a good deal wider than the previous directive, in that organizations outside of the EU are also impacted. GDPR introduces new EU Subject data rights designed to give the individuals greater control over their personal data. It establishes new control requirements such as a 72-hour breach notification, right to erasure, and right to portability to name a few. The following are some key facts around GDPR:
- The law was released in April 2016; enforcement begins May 25, 2018
- Organizations can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR
- GDPR replaces the 1995 Data Protection Directive that is now common across the EU
- Personal data can include many things, such as a name, a photo, an email address, bank details, social networking posts, medical information, and computer IP address
- It impacts countries outside the EU via class action law suits
So how do you get momentum behind GDPR?
First off, get a handle on where your EU Subject data resides; you don’t need GDPR expertise for this critical first step. Many organizations are finding that they have old or otherwise obsolete data that can be purged or merged, thereby freeing up valuable resources and decreasing their overall threat footprint.
Secondly, there is no silver bullet. Do not try to solve your GDPR problem with point solutions, at least not initially. Many product vendors are riding the GDPR bandwagon because it is the hot new buzzword, but there is no single solution that will magically make you GDPR compliant. You must first establish your GDPR program, assign and train your GDPR program participants, and then determine where point solutions may help you become and stay GDPR compliant.
So, if you have not begun your journey towards GDPR compliance, now would be a good time to start. The challenge of GDPR is not insurmountable; the marketplace has responded very well to the evolving reality of data privacy. Couple that with a structured program and a robust plan of attack, and you are on your way.
Contact Gotham to ask how we can help.