The Worldwide Implications of the EU General Data Protection Regulation

August 5, 2016 |
Decorative image of EU flag - The Clock is ticking… It’s time to prepare for the EU GDPR

I recently attended a Boston Chapter Meeting of the Cloud Security Alliance (CSA). This meeting was held in conjunction with the local chapter of the International Association of Privacy Professionals (IAPP). The topic? Something that interested everyone in the room, the new EU General Data Protection Regulation (GDPR).

Implications of the GDPR are a concern for almost every organization doing business in the EU that possesses “any information relating to an identified or identifiable natural person (‘data subject’).” While it becomes enforceable on May 28, 2018, the time to prepare for it is now.

At the event, keynote speakers included Elaine Call, Esq., Technology & Privacy Counsel at Cengage Learning, Inc. and Web Hull, Privacy, Data Protection, Security & Compliance Advisor, Global Privacy and Compliance Group. Elaine kicked off the meeting with an introduction to the GDPR and discussed security and cross-border data transfers.

Attendees learned that the EU General Data Protection Regulation replaces the 21-year-old Data Protection Directive (95/46/EC) as the EU’s omnibus data protection law. It replaces 28 national laws, perceived as a benefit for businesses, in that they will only have to deal with one supervisory authority, not 28.

The law’s objectives are to:

  1. Protect the “Digital Citizen”
  2. Ensure a single digital market
    1. New framework: One set of rules for the whole EU and a uniform interpretation mechanism to provide legal certainty and create trust

Attendees also learned some new vocabulary. For instance, the regulation promotes techniques such as anonymization (removing personally identifiable information where it is not needed), and pseudonymization (replacing personally identifiable material with artificial identifiers). The regulation also promotes the use of encryption to protect personal data.

Key Takeaways

The key takeaways from the CSA discussion on GDPR include:

  • The EU GDPR has teeth: Under the GDPR fines imposed can be 20 million Euros, or up to four percent of a company’s global annual turnover, whichever is greater.
  • It affects companies worldwide: Companies affected include controllers and processors established in the EU/EEA and companies not established in the EU/EEA, if they offer goods or services within the EU/EEA, irrespective of whether a payment by the data subject is required. The regulation has very broad reach, applying to virtually any company doing business in the EU.
  • Staffing: Firms with over 250 staff must employ a data protection officer. The EC want to ensure that large organizations processing a lot of data have someone who takes responsibility for that information, and having a data protection officer role is part of the new law.
  • Organizations must be able to report on breaches: The GDPR will require firms to notify data protection authorities, such as the UK’s Information Commissioner’s Office (ICO), of any data loss incidents as soon as possible, which the EC suggests should be within 24 hours “when feasible”.

How to prepare for the EU GDPR

The EU GDPR train has left the station. Now is  a good time to assess how you can prevent attackers from gaining access to any information relating to an identified or identifiable person. 

It’s important to have answers to the below questions:

  • How can IT teams provide unified, granular access control to applications, services and infrastructure, regardless of location, whether on-premises or in the cloud?
  • How can you apply the same level of access control scrutiny to devices brought into the environment by third-parties, contractors, or even your own employees?
  • How can you make the network ‘invisible’, cloaking the full network and only granting visibility and access to the applications and services that users need to do their job?
  • How can you provide logging data to help meet reporting requirements including those associated with the EU GDPR?

Cryptzone’s AppGate® provides a comprehensive, centralized approach to secure access control, providing real-time access on a need-to-know basis. Enterprises leveraging AppGate can improve security, maintain productivity, reduce operational costs and be on their way to meeting the EU GDPR security requirements.

Learn more about AppGate by reading these additional resources:

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *