GDPR Compliance: The Impact on InfoSec in 2018 and Beyond

The General Data Protection Regulation (GDPR) will be replacing Data Protection Directive 95/46/ec in Spring 2018, meaning information security teams need to start preparing now to ensure that their organizations remain compliant when the new rules go into effect, or risk facing fines and stiff penalties. GDPR applies to all states in the European Union (EU) as well as any company that markets goods or services to EU residents. In other words, GDPR will have a far-reaching impact on global organizations.

What does GDPR mean for global information security teams, and how should they prepare for the upcoming changes? To gain some insight into the anticipated impacts of GDPR on businesses located in the EU as well as those who market goods or services to residents of the EU, we reached out to a panel of information security leaders and asked them to weigh in on this question:The upcoming EU General Data Protection Regulation (GDPR) will be one of the strictest and most far-reaching data protection regulations ever passed…Imposing tight data protection requirements and heavy penalties for non-compliance for any business around the world that collects or processes EU resident data. The goal of the GDPR is to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape the way organisations approach data privacy.

The GDPR will be the largest overhaul to data privacy regulations that the EU – and much of the world – has experienced in the past 30 years. Its privacy requirements will be extensive and thorough, including the protection of EU citizens and residents’ personal information, such as data related to their health, genetics, biometrics, race, sexual orientation, and political opinions.

With GDPR coming into effect on May 25, 2018, any organisation handling EU residents’ data should be prepared to comply with stricter privacy regulations or be ready to pay up to 4% of their global annual revenue in fines or €10,000,000. This is a substantial stick carried for non-compliant companies, but the carrot for compliant companies is the increased customer trust and loyalty that can follow when companies demonstrate success in protecting EU citizens and residents’ personal data.Unfortunately, many organisations can be slow to adopt to new changes like the GDPR and need to accelerate their efforts in order to ensure GDPR compliance before the deadline arrives. A shocking 52% of companies believe they will not be ready for GDPR enforcement and will end up paying fines! In order to avoid this it’s important to prioritize resources, processes, and people to ensure you are not only preparing for GDPR, but are also establishing an ongoing program that will eventually evolve into routine business operations.

Gaining executive leadership and stakeholder cooperation is the first step in complying with GDPR. Having board level buy-in from the beginning is critical, as is appointing an executive leader; preferably the CEO. GDPR isn’t primarily a security issue nor is it all about IT – it’s a business problem that relies on cross-departmental collaboration from all stakeholders to be successful. Appointing a strong centralized GDPR leader with a core GDPR team across business units is the first step in progressing toward GDPR compliance; however, the core GDPR project team needs to be accountable to the board and executive leadership teams, with direction coming from the top down.

Save your time!
We can take care of your essay

• Proper editing and formatting
• Free revision, title page, and bibliography
• Flexible prices and money-back guarantee

Place Order

There are many questions about the role of the data protection officer (DPO). GDPR only requires the appointment of a DPO by companies in limited cases, namely when the company’s core activities consist of the following:Data processing operations which require regular and systematic monitoring of data subjects on a large scale; Processing on a large scale of special categories of data, i.e., sensitive data such as health, religion, race, sexual orientation, etc., and personal data relating to criminal convictions and offenses.

Public authorities are always required to appoint a DPO under GDPR. In general, a DPO will be required if your company processes and manipulates personal data (e.g. banks, healthcare, credit companies), but if the company only has HR data they are not required to have a DPO.Currently, the International Association of Privacy Professionals (IAPP) estimates that 28,000 DPOs are required in Europe in order to achieve perfect compliance by the May 25, 2018 deadline. The demand to fill the position will certainly increase as we move closer to the GDPR enforcement date. When the GDPR goes into effect, the DPO becomes a mandatory role under Article 37 for all companies that meet these criteria. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data collection or processing.

It’s important to note that DPOs do not need to be members of the organisation. The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies that the DPO’s expertise should align with the organisation’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors. If you’re selecting an external DPO, ensure that they know and understand not only the data but also the business they are working for.DPOs may be a controller or processor’s staff member and related organisations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible to the related organisations whenever needed. It is required that the DPO’s information is made public and provided to all regulatory oversight agencies.It is recommended that organisations start evaluating potential DPO candidates now so they can determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team.

Start by looking for candidates within your organisation, as they have the best understanding of your business. GDPR is fairly nebulous when prescribing solutions or technologies to achieve compliance; however, this is intentional. The GDPR is designed to accommodate new and emerging technologies, such as cloud-based systems, IoT, machine learning, and social networks. Many of these technologies weren’t available when previous data protection regulations – such as the EU’s Data Protection Directive of 1995 – were established, so the GDPR was designed to be flexible in how organisations can comply with its technology mandates. The downside is that this leaves many companies lacking guidance as to what technologies can help them speed or enable GDPR compliance.It’s recommended to start with a visibility assessment of what data exists within your environment and what types of personal data – particularly GDPR-regulated data – you are collecting, handling, and storing so you can have a deep understanding of your risk exposure and prioritize further compliance efforts from there.

Whatever technologies you choose to adopt, it’s imperative to understand how they enable you to process personal data and put controls around that data, which include consent (opt-in), the right to be forgotten, transparency, and data portability, as users have the right to receive documentation of how their personal data is being used and stored. While organisations are going through their GDPR compliance program and determining the impact the new regulation will have from a people, process, and technology perspective, some may find it more cost-effective to outsource to a managed security program (MSP) that handles the process for them. With the current dearth of IT security talent, this may become a more viable option for organisations who lack the internal resources and headcount but need to be compliant with GDPR.