by Steve Durbin
The General Data Protection Regulation (GDPR) officially goes into effect in May of 2018 and will have a global
reach, affecting any organization that handles
the personal data of European Union (EU)
residents, regardless of where it is processed.
The GDPR adds another layer of
complexity, not to mention potential
cost and associated resources, to
the issue of critical information
asset management that so many
organizations are struggling to come
to terms with.
At the Information Security
Forum (ISF), we consider this to
be the biggest shake-up of global privacy
law in decades as it redefines the scope
of EU data protection legislation, forcing
organizations worldwide to comply with its
requirements. This most certainly includes
US-based organizations. The GDPR aims
to establish the same data protection levels
for all EU residents and will have a solid
focus on how organizations handle personal
data. Businesses face several challenges
in preparing for the reform, including an
absence of awareness among major inner
stakeholders. The benefits of the GDPR will
create several compliance requirements,
from which few organizations will
However, organizations will benefit from
the uniformity introduced by the reform
and will evade having to circumnavigate
the current array of often-contradictory
national data protection laws. There will
also be worldwide benefits as countries in
other regions are dedicating more attention
to the defense of mission-critical assets. The
GDPR has the potential to serve as a healthy,
scalable, and exportable regime that could
become an international benchmark.
Understanding the penalties of
Most countries (including all EU nations) have
established supervisory authorities to oversee
the use of personal data. These supervisory
authorities are government-appointed bodies
that have powers to inspect, enforce, and
penalize the processing of personal data. In
the U.S., a number of authorities enforce data
What the GDPR means for
» Prepare in advance. Don’t delay until May.
» Understand the legal requirement and the penalties for non‑compliance.
» Assign a data protection officer with the expertise and time to field requests.
» Get an immediate handle on your data. What you are collecting? Where is it coming from and stored? Who is responsible for
it, and who has access to it?
» Take responsibility. Don’t expect government and regulators to help.