GDPR – What is it?

GDPR or the General Data Protection Regulation is the European Union’s new legislation to protect the personal data of EU citizens. Organisations have been given a two year lead in period to become compliant, ending 25th May 2018.

The primary objective of the GDPR is to give citizens back control of their personal data.  Once GDPR takes effect it will bring together previous data protection regulations throughout the EU.

GDPR Compliance Requirements

Organisations will also need a way to verify the legitimacy of users and transactions, and to prove general compliance. It is vital  that the security controls in place be first and foremost demonstrable and secondly that they are auditable.

In addition, strong key management is required to not only protect the encrypted data, but also to ensure the deletion of records and to comply with a user’s given right to be forgotten.

GDPR does provide certain exceptions based on whether the appropriate security measures and controls are deployed within the organisations.  For example an organisation which has been breached and that subsequently rendered the data unintelligible through encryption is not mandated to notify the affected record owners.

This EU compliance regulation will have a far reaching impact for organizations throughout the world.