What is General Data Protection Regulation (GDPR)?

The European Union (EU) adopted a new law in 2016 called the General Data Protection Regulation, or GDPR for short. It affects every company with customers residing in the EU. It comes into effect on May 25th 2018, which is just over a week away. But what does it mean, and should companies be worried?

What is the GDPR?

Firstly the GDPR addresses a number of key areas around the privacy of data for EU citizens, in relation to the storage, processing and handling of personal data. Personal data includes data that can identify an individual directly. This can include the following:

Below is a very short and simple video introducing the GDPR legislation:

I’ve simplified and summarised the key points of the GDPR legislation below:​

The overall effect of the GDPR is to provide improved protection for EU citizens and to unify the laws across the EU. This puts onus on those businesses, including the cloud providers to ensure that data is processed fairly and in accordance with the law. There are a number of sanctions that can be enforced, depending on the nature of the breach:

So what should companies do? Firstly they need to seek legal advice from an expert in European Union law to understand the potential impacts and next steps. Next steps are to perform an audit of their business processes and how they store data to understand their current state. Then they need to perform some analysis on the law, with their legal expert to interpret the law and create a series of overarching requirements. These requirements then need to be solidified into a series of solutions.  

Here is a great example of how market-leading SaaS cloud provider Xero, are approacing their GDPR obligations in relation to their financial accounting package:

It’s very important to ensure that the IT, security, legal and operations departments are all working together closely to work through the issues and implement the solutions.

Want to know more about how you can secure your data and ensure you are following the latest best practices?  Consider taking a Certified Cloud Security Professional certification, leading to an ISC2 examination. I’d be glad to coach you through your questions and help expand your knowledge of all things security.