By Tenable Network Security
The European Parliament passed the EU General Data Protection Regulation (GDPR) in April 2016, becoming enforceable in May 2018. It requires all organisations that handle EU residents’ data or that offer products or services to EU residents to observe strict data privacy and security measures. Involve executive management, privacy experts, legal professionals and your security team when discussing GDPR implementation.
GDPR impact on business processes and systems
Penalties for violations are severe: Under Article 83(5), infringements can result in fines up to €20M or 4% of the company’s global annual revenue.
The definition of personal data is expanded: Personal data means any information relating to an identifiable natural person (“data subject”). An identifiable natural person can be identified directly or indirectly by a name, identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This definition implicates data that may not seem personal: IP addresses, Global Positioning System data, cookies, Media Access Control addresses, etc.
Technical and organisational measures require adequate security controls: The GDPR recommends that companies adopt security frameworks which help infosec professionals create repeatable processes and implement controls to protect personal data.
The GDPR jurisdiction includes non-EU organisations: The GDPR’s territorial scope covers organisations outside the EU that offer goods or services to EU residents.