MetricStream | Various Authors | GPE – November 15, 2017:
Requirements for Data Processors, Data Controllers, and Data Protection Officers.
The EU General Data Protection Regulation (GDPR) is poised to do for data protection and security what the Sarbanes-Oxley Act (SOX) did for corporate governance in the early 2000s – the implications are that significant.
While the new regulation may be EU-specific, its reach and impact are global. Enterprises across countries that collect, store, or process the personal data of EU citizens—be it that of customers, employees, patients, policy holders, beneficiaries, contractors, third parties, volunteers, or visitors — will need to demonstrate compliance with GDPR. Government agencies will also be impacted by the regulation.
It doesn’t end there. While GDPR may seem like an “IT” issue, it will require multiple business units to participate actively in compliance – particularly Human Resources, Sales and Marketing, Finance, Procurement, and Legal. What’s more, for the first time in the EU, data processors, including third parties, vendors, and suppliers will have direct obligations and responsibilities to protect and secure the data that they process.
In short, the scope of the new regulation is immense. And the repercussions for non-compliance are also expected to be huge – up to 4% of an enterprise’s annual global turnover or €20 million, whichever is greater. To put that in context, UK-based telecom company, TalkTalk was fined a record £400,000 by the UK Information Commissioner’s Office (ICO) in 2016 for security failings that allowed cyber attackers to access customer data.
Under GDPR, those fines could have shot up to more than £50 million.
So What Do Enterprises and Government Agencies Need to Do?
To read the full report, which answers the above question, – please click here.