Today we’re going to talk about the European General Data Protections and Regulations, or GDPR, and while they don’t come into effect until mid-2018, you really need to start your planning today, and the question is: are you prepared?
One of the biggest fallacies that I see is with North American organizations who don’t believe they are effected. The reality is, if you do business with Europe, if you have European Data, or if you have partners or affiliates in Europe, you are governed and are on the hook for GDPR responsibilities.
The scope is GDPR is broad, and has many controls in place such as privacy by design, consent and control mechanisms, the ability to remove your data from a network, assigning a data protection officer, and most importantly, GDPR contains stringent data breach notification rules, that when violated can lead to highly punitive sanctions in the tens of millions of euros.
And while the GDPR in Europe does recognize other countries’ privacy laws as equal, such as in Canada, it does not in the United States, and this means as a US entity, you must build corporate-binding rules between the US entity and its European affiliate to meet the GDPR standards.
There are hundreds of controls in the GDPR regulations, like setting up breach notification rules, incident response planning, privacy by design, and designating a data protection officer. For this reason, I highly recommend that you enlist a security advisory professional to help you navigate all those complications.