Privacy / Security

GDPR Compliance: The impact on the information security sector

Ready or not Europe’s General Data Protection Regulation (GDPR) goes into effect May 2018, and naturally we’d prefer that you’re ready for this. The GDPR will become the EU’s primary data protection law and is a replacement to the 1997 Data Protection Directive (“Directive”). There are a few reasons why the GDPR has arrived at the perfect moment.
The Directive is 20 years old now, and the technology landscape has changed. Information technology is integrated with everyday life. However, as a directive, this also meant that it was a minimum standard and member states often developed in consistent policies when it came to cyber security. With the EU operating as a unified market this presented a problem. The GDPR is a full regulation that will be implemented in full across all member states as a one policy. This helps to correct the imbalance experienced where some member states had more stringent security policies than others.
Globally the information security sector will be impacted. So lets talk about what the GDRP is and what exactly some of those impacts will be.
What is the GDPR
The GDPR is a cyber security regulation that was agreed upon in May 2016 after four years of development. The regulation is intended to protect EU citizens’ personal data. It expands the rights of EU citizens and affects any organization that engages any member state of the EU for business. There are some critical components to this legislation which should be emphasized because they no doubt have impact on the information security sector.

  • Scope:
    Unlike the directive, the GDPR applies to any company that markets to any EU citizens. In effect, much of the world is subject to the GDPR, regardless if they hold offices or assets in the EU or not. More information can be found in Article 3.
  • Fines:
    The GDPR imposes a fine of 4% of global revenue if a company violates specific chapters of the regulation. This includes a violation of principles, rights of the data subjects, and responsibility of data controllers/processors.
  • Rights of Data Subjects:
    The chapter on rights for EU citizens is extensive. Some important ones to note however are the right to data portability, right to rectification, right to erasure, right to restriction of data processing, and right to object automated processing. This regulation was crafted with the protection of EU citizens in mind.
  • Data Protection Officers (DPO)
    Companies whose core activities include processing of GDPR defined “special categories” of data must appoint a DPO to ensure compliance is met and data secure. The special categories of data include anything uniquely identifying such as race, sexual orientation, biometric data, political leanings, and many others. Refer to article 9 for specifics.
  • Breach Notification
    Under the GDPR companies are required to report a breach to the appropriate authority within 72 hours. This is not universal however and depends on role and context. Rules apply differently to controllers and processors in the event of a breach. For specifics on the requirements for each, refer to Article 31.

Impacts on Information Security Sector
Do you feel the impacted already? If you’re a European based information security firm, you likely have already had a few discussions or even calls about the GDPR. Impacts on the information security sector will centered around product development, regulatory strategy, and staffing.
Much of what is included in the GDPR is what information security experts have been lobbying for years over. The GDPR has put into legislation the best practices from the privacy by design and security by design frameworks. So much of the legislation should not be anything new for those in the information security sector. However, it does change what offerings are made to clients and what their needs are.
Product Development
Prior to this legislation globally security products were designed around security first, however this does not inherently mean that privacy was also first. GDPR standards will now need to be built into any products developed by cyber security vendors, or else they will be pushed out the market. Existing deployments will need reviews and to be updates if they already are not in compliance with the GDPR. For cyber security consultants, their services will now require a fluent understanding of the GDPR and how it applies to their potential and existing clients.
Regulatory Strategy
Cyber security professionals by the nature of their work need to always be one step ahead of the their customers and clients in regards to regulation and directives. Maintaining a strong understanding of the GDPR will allow cyber security professionals to not just aid European based companies maintain compliance by also help companies outside of Europe understand what it takes to engage the European market. For experts who work internationally it will also be important to know how to help clients meet the GDPR and regional security requirements. As information becomes more central to the markets it will be increasingly important for cyber security experts to develop proficiency in policy analysis to remain competitive.
Skills Training
The requirement for the DPO will be a new concept to many companies outside of Europe. The GDPR will require at least 75,000 DPO positions to be filled worldwide according to a study by the International Association of Privacy Professionals (IAPP). Many are doubtful that organizations outside of Europe will be able to fill the position in time, mainly due to not enough trained professionals for the role. Once the GDPR is active, information security professionals may find themselves in a position where their clients may ask for qualifications in alignment with that role. In effect, the GDPR will incentivize a greater emphasis on privacy and a need to train one of their managers to fulfill the role of DPO.
The GDRP has already sent shock waves throughout the information security sector. As the deadline to be in compliance draws near, private companies will be expecting information security professionals to help them meet it, in a narrow window of time. It is best to prepare now for an influx of work.

  1. MiniBigTech 1 year ago

    Such a brilliant blog thanks for sharing. Keep reading like this blog which is about technology because this is the era of modernity so stay updated about Big Technology.

  2. g 1 year ago

    What a material of un-ambiguity and preserveness of valuable experience on the topic of unexpected feelings.

  3. quest bars cheap 7 months ago

    Admiring the time and energy you put into your site and in depth information you provide.
    It’s awesome to come across a blog every once in a while that isn’t the same unwanted rehashed
    information. Great read! I’ve bookmarked your site and I’m including your RSS feeds to my Google

  4. Why users still make use of to read news papers when in this technological
    world all is accessible on net?

  5. coconut oil 5 months ago

    Hi, yeah this paragraph is in fact fastidious and I have learned lot of things from it on the
    topic of blogging. thanks.

Leave a Comment

Your email address will not be published.

You may also like

Pin It on Pinterest