What You Need To Know About General Data Protection Regulation (GDPR)

  • May 4, 2018

What Is The GDPR?

The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt.

Companies that collect data on citizens in the European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.

Does This Affect American Businesses?

Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules. Businesses of all sizes are affected — from micro to multinational. No one is exempt. In order to comply, American companies can either block EU users altogether (an impossible choice for a multinational brand) or have processes in place to ensure compliance.

GDPR Compliance Requirements

This EU compliance regulation will have a far-reaching impact for organizations throughout the world.

However, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations. For example, a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data is not mandated to notify the affected record owners.

To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  • Servers, including via file, application, database, and full disk virtual machine encryption.

  • Storage, including through network-attached storage and storage area network encryption.

  • Media, through disk encryption.

  • Networks, for example through high-speed network encryption.

In addition, strong key management is required to not only protect the encrypted data but to ensure the deletion of files and comply with a user’s right to be forgotten.

Organizations will also need a way to verify the legitimacy of user identities and transactions and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

Who Can Help You to Maintain all the Requirements?

Rely on highly-qualified professionals to feel confident about maintaining obligatory requirements.

Make sure you get exactly what you’re looking for by giving everything in the hands of experts!

Please feel free to contact me if you need any further information.