What is the General Data Protection Regulation (GDPR)?

It’s a law, a regulation that is relevant for those that market or have processes involving European Union (28 countries) data from end users, customers and employees; it is a must for those entities to know and exercise the requirements, provisions, challenges and implications.

It will unify data privacy requirements across the European Union (EU).

The big question is: does my organization has something to do with any country in the European Union? In the answer is yes (and its very probable), the GDPR applies entirely to you.

The GDPR, which takes effect May 25, 2018, is designed to unify data privacy requirements across the European Union (EU).

It focus on 4 key aspects:

Fines -4% annual revenue / 2% by failing breach notification-

-4% annual revenue / 2% by failing breach notification- Right to be forgotten

Data Protection Officer (DPO)

(DPO) Breach Notification -72hours-

Those are just the key aspects, nevertheless, there is a tremendous amount of detail that should be considered.

The focus is: Data Protection and exactly this is just one on the biggest threats to the PII. This regulation has marked a big point in the agendas of C level and boards around the globe, because who is not doing business activity with EU?

“The driver for any organization is making profit and activities that generate business.”

That’s why businesses set goals and long term expectations, which is the vision: where to be in the future. In order to reach that future state, they need to set a corporate strategy that will allow them to get the goals in an structured way with high level of confidence.

Utmost important is compliance and regulations, there are not the same thing but are related. It is the law and nobody is above it.

Criminals have set their focus on PII because this information is highly valuable in black markets, but why?

If you lost your credit card information, you can easily change it; after 5 minutes you will have a new credit card, CC number, expiration date and CVV and the old one will be blocked or just missed. So far, it is ok, the main issue with PII is that you can not change the place where you born or your birth date or what are your chronical illness…once it’s know it’s to be like this almost forever, it cannot be changed. This longevity or perpetuity makes the information valuable for bad actors.

GDPR tries to unify this scenario with the 4 mandates previously mentioned.

Companies must set a DPO who is the individual whose main tasks are setting the rules and oversee data treatment and protection activities. Before this regulataion, when there was a breach is was up to the organization to report it (keeping in mind financial, stock, client and market reputation impacts) now is a must, organizations do not have the choice, is not any more up to them; whenever a breach happens it must be reported (72 hours after learning about it).

Additionally, fines for provision violation for the data basic processing may face fines up to 4% of the organization annual revenue and up to 2% for violation to the breach notification rule.

All this mandates will definitively have a corporate impact.

The importance given to the cyber-security and information security areas, could lead potentially to success or fail of the business

and exactly this is why executives are paying attention now.