GDPR Facts & Challenges

Let’s list some of GDPR facts and challenges:

  • Estimated time of engagement will be end of 2018
  • All recent cyber incidents in US made Europe totally suspicious to US privacy and cyber reliability
  • GDPR is simply a data privacy compliance regime to force other countries to comply with Europe. Cyberspace was 100% ruled by US in the past, compliance requirements in that regards were also largely driven by U.S.-based regulations, but that has changed in recent years
  • No current initiative or certification can ultimately fulfill GDPR compliance by default, however every step to accomplish makes the entire process smoother, cheaper and easier to enforce and implement gradually
  • Regulation is about “structured data running through enterprise”, the flow of data and how it is organized
  • Requires extensive record keeping to enable ‘Proof of Compliance’. GDPR requires companies to maintain records of all processing of personal data
  • GDPR believes in embedding privacy measures into corporate policies and everyday activities that involve personal data
  • You must document privacy measures and keep records of compliance
  • Train employees on privacy and data protection and regularly test and audit your privacy measures. Then use the results to improve policies and controls
  • Every single person act like a customer, individuals can, for example, request that businesses provide their data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller as their “right to data portability” or delete their information by exercising, their “right to be forgotten”. So the result is much stricter rules in terms of, what is called “privacy by design and by default”: Consent, notification of data breach, and mandatory privacy impact assessments
  • Technology won’t solve the issue at the first place. It is more about understanding of what businesses need to do, and then a lot of changes in processes. Technology is the last part perhaps only to enforce and support the system.
  • Migrating to Cloud Computing will ease compliance but it won’t necessarily refine internal workflows. So even if your company is already a cloud entity or ready to be, do not rely so much on what cloud vendors claim
  • Utilizing US Privacy Shield as a final solution is not applicable. US PS only applies to transferring of data over Atlantic. US had negotiated an agreement called US-EU Privacy Shield with EU regulators that enabled more than 2,000 U.S. cloud companies to transfer the personal data of EU citizens to the U.S. for processing without risk of breaching fundamental European privacy rights. But in January, President Donald Trump signed an executive order that modifies the Privacy Shield agreement in an attempt to avoid running afoul of the EU privacy rules when spying on non-US citizens
  • Standards are good to comply, but regulations are mandatory. GDPR is not good to comply, it is mandatory if you seek Europe business
  • Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater
  • GDPR is one of the strongest competitive factors in business, it is like a metric, it drops companies off of the list, or can add them as the only qualified candidate to negotiate a business
  • The GDPR compliance is a journey which better starts sooner if you want to conduct business with Europe
Published
Categorized as GDPR
Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!

Leave a comment