The final analysis: What you need to know about the EU GDPR legislation

As we mentioned before in our recap of the proposed legislation, the European Union General Data Protection Regulation (GDPR) will have far-reaching consequences for both cloud-consuming organisations and cloud vendors. And with the ratification of this piece of legislation, security teams will have to begin the process to comply (if they haven’t already!).

A recent survey by TRUSTe found that only around 50% of organizations around the world are aware of the GDPR, with around 65% of those aware having already started preparing for it. For larger companies, this means it’s a game of catch-up to be fully compliant within the two year timeframe. Requirements such as hiring a data protection officer (DPO), documenting security procedures and processes and ensuring you can delete data when the purpose of use has expired will require the full two years to comply.

So what’s changed since we last wrote about this piece of legislation?

• Data protection impact assessments (DPIA) must be performed when data processing ‘”likely poses a high risk”
• Fines are two tier, depending on the transgression
  • Maximum fine of 20 million euro or 4% of global turnover, whichever is higher, in cases where the data subject’s rights have been infringed (e.g., data has been processed without a legal basis, international data transfers have been performed)
  • Maximum fine of 10 million euro or 2% of global turnover, whichever is higher, in cases where data controllers or processors have not met obligations – this can include the following
    • they cannot demonstrate adequate security
    • they have not appointed a DPO
    • DPIAs have not been carried out where necessary
    • no data processor agreement has been put in place

Other changes include adding biometrics to the list of ‘special data’ and making greater provision to protect childrens’ data.

With the complications presented by the cloud and shadow IT, personal data will be even harder to track and control. The security teams of data controllers will have to carefully create and document processes, policies, and products to ensure data subject rights and data security of processors. Let us know your thoughts on what the new regulations mean to your industry – join the discussion by tweeting at our Twitter handle @netskope.

For more resources on the GDPR and what your organization needs to do to be “cloud-ready” for 2017, check out our white paper written by European privacy and legal expert, Jeroen Terstegge, and our GDPR cloud compliance checklist on specific steps to take.