It was in April 2016 that the General Data Protection Regulation (GDPR) was adopted, replacing the Data Protection Directive, in order to unify data privacy laws across Europe and empower EU citizens’ data protection. The GDPR will be enforced on 25 May 2018, making it the biggest change to data privacy law in two decades. Any company, whether residing the EU or not, will be subject to this regulation, as long as the organization is storing personal data of EU citizens.
According to a survey report by Spiceworks, that studied nearly 800 IT professionals in the EU, U.K., and the U.S., only 2% of IT pros in the EU believe that they are prepared for the GDPR, while 5% of U.K. IT pros and 2% of U.S. pros believe that they are fully prepared for the GDPR. In fact, a minimal 9% of IT professionals in the U.S. claim to have an understanding of what the regulation entails, while 43% and 36% of IT professionals in the U.K. and the EU (respectively) claim to be well informed about the GDPR and how it can affect their organization.
A vast majority of organizations in the EU and those falling under this regulation are unprepared for the new EU data protection regulation, despite being given two years to prepare. This could lead to heavy fines due to non-compliance, some minor penalties leading up to €10 million, or 2% of the worldwide annual revenue while other major penalties could lead up to €20 million or 4% of a company’s worldwide annual turnover, whichever is larger. Only a few smaller companies in the EU will be exempted from this regulation, however, if they want to comply with the data requirements of the larger companies and want to work with them then they too will have to comply with the GDPR.
Are You Prepared?
In order to avoid these penalties, provide better data protection to an organization’s employees and data subjects, and be prepared for the GDPR you must first understand what the GDPR is and the type of impact that it will have on EU citizens and on your organization. Do not assume that just because your organization does not reside in the EU that you will be exempted from the regulation. Know the principles, key changes, data subject rights, and the penalties that you could face due to non-compliance with the GDPR.
However, knowing what the GDPR entails is not enough. A company must implement the changes that the regulation requires, such as:
- Appoint a Data Protection Officer
- Gain consent from data subjects and ensure that consent withdrawal is made easy
- Include privacy by design
- Ensure that the data subjects are aware of their right to erasure, right to access, and right to data portability, as well as their other rights under the GDPR.
- Ensure that the Data Controller and Data Processor carry out their duties in accordance with the GDPR
- Always report a data breach within 72 hours
GDPR and Cybersecurity
Although implementing the changes according to the regulation is one way to ensure safety to your data subjects and your organization, every company should always enforce a proper cybersecurity strategy as it is important to ensure data protection by preventing data breaches. The GDPR also requires that organizations prove their compliance to the GDPR through appropriate network safeguards. However, the prominence of BYOD, mobile devices, and IoT devices— devices that lack basic security— have become more significant and relied upon, becoming a major risk to an organization’s cybersecurity and the GDPR.
Traditional cybersecurity strategies revolving around firewalls, anti-virus software, and identity management solutions are no longer sufficient to prevent breaches and loss of personal data, instead, improved cybersecurity strategies must be implemented to prevent viruses and malware attacks from outside attackers.
Guaranteeing that your cybersecurity team is properly trained to construct cybersecurity strategies, conduct penetration tests, provide network security, and implement a business continuity and disaster recovery plan, among other things is a major way to ensure that your organization and your data subjects’ personal data remains secure.
More than 200,000 information security professionals from across the globe have passed through EC-Council and have positively influenced the cybersecurity strategies of many organizations worldwide. EC-Council’s certification programs provide training to ensure excellence and help create cybersecurity experts that can help provide the protection that your organization requires to stay safe after the enforcement of the GDPR.