The General Data Protection Regulation (GDPR) is a regulation by the European Union (EU) that regulates the controlling and processing of personal data that is related to individuals within the EU. The GDPR defines personal data as all information that is related to an EU resident’s public, private, or professional life (such as email addresses and bank information). The GDPR will become binding and applicable in the EU Member States on 25th May 2018.
Organizations that will be found in non-compliance with the GDPR following this date will face heavy fines of up to €20 million or up to 4% of their global revenue for each incident. One important aspect to mention here is that you are bound to comply with this regulation even if your organization does not have a presence in the EU. This regulation is applicable to all individuals and organizations that store or control data of an EU resident.
The GDPR puts a high emphasis on cyber security to mitigate concerns regarding data privacy and protection. As per the GDPR, organizations need to appoint an independent Data Protection Officer (DPO) who will overlook the data protection measures of an organization and determine whether these are compliant with the GDPR. In case that a data breach occurs, data controllers i.e. individuals and organizations who hold data about EU citizens will be required to inform the DPO about the breach within 72 hours of discovery.
Other than this, the GDPR requires organizations to store, process, and analyze data in a manner that ensures an appropriate level of data security, depending on the scale and sensitivity of the information. This includes the use of encryption and access control tools for preventing unauthorized and unlawful access to data. Furthermore, the regulation states that it is mandatory for organizations to carry out Data Protection or Privacy Impact Assessments (DPIAs). The risks that will be identified via these DPIAs will have to be reported and countered through appropriate measures.
The clauses of the GDPR that have been highlighted above show how important cyber security will become to organizations across the globe. To prevent non-compliance of the GDPR and to protect their reputations in public eyes, organizations will have to adopt cyber security solutions and frameworks such as Governance, Risk, and Compliance (GRC).
The GRC is a structured approach for defining measurables and enabling organizations to coordinate their policies and controls with regulations such as the GDPR. A GRC tool enables you to track progress, evaluate the risk of breaches, and document compliance efforts which is ideal for meeting the reporting requirements of the GDPR. Organizations need to design their GRC framework to integrate GDPR requirements so that these efforts can be aligned with their business goals. Without a GRC framework, it would be a struggle for companies to quickly comply with the GDPR while keeping their organizational processes intact.
To conclude, the GDPR will redefine the way organizations control and process data about EU citizens by laying an emphasis on cyber security. Organizations will need to improve their cyber security standards and report risks by carrying out compulsory assessments. For this, organizations can define a GRC cyber security framework as a stepping stone for compliance with the GDPR.