O
On May 25 2018, the General Data
Protection Regulation (GDPR) was
implemented, triggering an overhaul of
data protection rules in Europe.
It means there is now one set of
regulations for all companies operating
in the EU, wherever they are based.
The aim of the regulation was to give
people more control over their personal
data and enable businesses to benefit
from a level playing field.
The consequences of not adhering to
the rules? Severe financial penalties.
Failure to comply could mean a
fine of up to €20 million or 4% of an
organisation’s total worldwide annual
turnover, whichever is higher.
But what impact has GDPR had? Has
anything changed when it comes to data
protection? Jim Barkdoll, CEO, Titus,
explores this in more detail.
FEATURE
At this point, many might question why
confusion exists a full year after GDPR
was enacted. There are two significant
factors driving this – the broad way in
which GDPR defines ‘personal data’
and the ‘good enough’ approach
organisations take when trying to
become compliant.
When GDPR
was developed,
consumers and
many in the
security community
believed this was a
watershed moment
for data security
and data privacy.
At its core, GDPR drives organisations
to put better protections in place around
personal information. But how personal
data is defined is complicated. In short,
the legislation defines personal data as
‘any information relating to an identified
or identifiable natural person.’ That’s
awfully broad, which is by design.
Jim Barkdoll, CEO, TITUS
Lack of enforcement and
resulting confusion
When GDPR was developed, consumers
and many in the security community
believed this was a watershed moment
for data security and data privacy.
But the first truly significant fine levied
based on GDPR regulations was against
Google and didn’t have a lot to do with
data privacy or protection. This action
contributed to the confusion that persists
around what it means for an organisation
to be truly compliant.
www.intelligentciso.com
|
Issue 11
The effect of this broad definition is
organisations are confused as to what
information must be most critically
protected and if/how information has
been incorrectly exposed. As a result,
many are over reporting data breaches.
In a speech late last year, UK Deputy
Information Commissioner James
Dipple-Johnstone noted organisations
were reporting potential or supposed
breaches in an effort to be transparent.
The time and effort required to report
breaches that may not have even
occurred simply to avoid consequences
would be better used in applying
protection personal data and
becoming compliant.
37