The European Parliament passed the General Data Protection Regulation in April 2016, and it will become enforceable in May 2018. Once in force, the regulation will require every organization that offers products or services to EU citizens, as well as those handling data of EU citizens, to adhere to a strict set of data privacy and security measures. The impact of these measures is broader than information security, and it may well require significant changes to business processes and systems.
- Penalties for violations are severe: serious infringements can result in fines of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher.
- The “personal data” definition has expanded: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition of personal data is important to information security professionals because it implicates data that may not seem, at first glance, to qualify as personal. IP addresses, application user IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples
- Technical and organizational measures” require adequate general information security controls: The GDPR uses the phrase “technical and organizational measures” 21 times. In essence, the GDPR is asking controllers to employ information security frameworks, which enable professionals to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.
- The jurisdictional reach includes organizations outside of the EU; The GDPR’s jurisdictional reach (called the “territorial scope”) is broad and includes most organizations. Organizations based outside of the EU that offer goods or services to EU data subjects are covered by the regulation.
You can find the full set of regulation here: Download