The General Data Protection Regulation is a European Union regulation with the full title of ‘Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation)’.
It’s the first comprehensive overhaul and replacement of European data protection legislation in over twenty years and could be the most significant regulatory framework to hit organizations since Sarbanes-Oxley in 2002. Its purpose is to replace the varying implementations across Europe of the earlier EU Data Protection Directive with a single harmonized EU regulation. The intended outcome is a standardized set of expectations about how an organization must manage and protect personally identifiable information on employees, clients and other applicable data subjects.
Any organization that holds data on EU citizens, regardless of where it is domiciled, within the EU or otherwise, is in scope. Likewise, organizations processing data within the EU on any data subject, regardless of the data subject’s location, may be in scope. Compliance is mandatory by 25th May 2018. This paper explores how, with the right approach and help, organizations can use the requirements laid down by GDPR that affect information security to promote privacy, security, and business enablement.