The European Union’s General Data Protection Regulation (GDPR) is the biggest shake-up of global privacy law
for over 20 years. Adopted in April 2016, with enforcement due from 25 May 2018, the GDPR represents the
culmination of over five years of effort to modernise data protection.
Preparing for the General Data
Protection Regulation
The EU Directive on Data Protection (95/46/EC) (the EU
Directive), adopted in 1995, could not have anticipated the
increasing importance and reach of the Internet, or the
exponential growth in methods for the mass-processing
of data, such as online retailing, search engines and social
networks. In response to these needs, the GDPR has
superseded the previous EU Directive to create a unifying
data protection law for all EU Member States.
The GDPR applies to personal data relating to EU residents
regardless of where it is processed. It redefines the scope of
EU data protection legislation, forcing organisations worldwide
to comply with its requirements. The ISF estimates that
over 98% of Member organisations will be impacted as a
result. While the GDPR is based on the same data protection
principles as its predecessor, it introduces new rights for data
subjects (identified or identifiable individuals) such as the rights
to the erasure or restriction of the use of their personal data.
It also places new demands on an organisation, for example
designating a data protection officer and formally assessing
data protection impacts. The GDPR enables supervisory
authorities to impose tough penalties including potential fines
of up to 4% of group turnover, or €20m.
Robust data protection is not simply a burden on an
organisation; good data protection practices should protect
both brand and reputation, and improve data quality. An
organisation with mature data protection practices should
be able to meet many of the GDPR’s requirements. The ISF
Approach, shown in Figure 1, will help an organisation to
prepare for the GDPR’s requirements. It recommends that an
organisation should:
‒‒determine the applicability of the GDPR to data
processing activities
‒‒evaluate the effectiveness of data protection controls
‒‒assess the scope of data protection capabilities
‒‒understand the consequences if the GDPR’s requirements
are not met
‒‒aim to comply by 25 May 2018.
An organisation may already understand the extent to which
they are aiming to comply with the GDPR, and the risks
associated with their approach. Those yet to determine
their approach must start preparing immediately or accept
substantial risks.
Source: Information Security Forum Limited
