With the General Data Protection Regulation (GDPR) deadline scheduled to go live 25th May 2018, we thought that it was appropriate to have another look at the European directive that will have a global impact.
Though a legal requirement created by the EU, GDPR is applicable to personally identifiable information (PII) related to EU citizens. Therefore, GDPR will apply to businesses handling such PII even when they operate outside the EU; hence the impact of this new regulation will be felt globally.
Want a Free GDPR Whitepaper?
Download your free whitepaper now so you can read later when you have more time!
Not just another regulatory compliance
In the U.S., organisations are already accustomed to meeting security requirements driven by regulatory obligations, such as Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and Special Publication 800-53r4, International Organization for Standardization (ISO) 27001 & 27002, and the Homeland Security Act (HSA), so GDPR may be seen as just be another compliance audit to be undertaken each year.
However, Sysnet believe that U.S. companies and all businesses based outside of the EU should not consider GDPR to be just another regulatory compliance obligation to be met. Sysnet’s Jeremy Lacy, Senior Cyber Security Consultant, U.S. highlighted the importance of this:
“I honestly believe that if GDPR is implemented correctly and changes (with) the global business landscape, it may be a step towards a global information security data security and privacy standard. With that in mind, American companies need to do their part and participate in the development of GDPR to maintain the highest level of information security and data privacy possible.”
Organisations that are not compliant with GDPR also face serious fines:
- Fines of up to €10 million or 2% of worldwide annual turnover, whichever is the higher, for breaches such as:
- failing to obtain consent for the processing of children’s Personal Data;
- failing to implement appropriate technical and organisational measures;
- controllers failing to comply with obligations in relation to the engagement of and processing carried out by Data Processors
- failing to notify a Personal Data breach;
- failing to complete a data protection impact assessment, when one is required;
- failing to appoint a Data Protection Officer, if one is required.
- Fines of up to €20 million or 4% of worldwide annual turnover, whichever is the higher, for infringements of GDPR provisions, including:
- the basic principles for processing, including conditions for consent;
- the data subjects’ rights;
- meeting the conditions required for transfers of Personal Data to third countries or international organisations.
Want to know more? Read our GDPR factsheet
If you are a merchant that requires technical or PCI DSS help, please click here