By MARK FULFORD
The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, officially goes into effect on May 25, 2018. And it’s causing U.S. businesses in every industry to prepare for enforcement.
Whether you’re a hospital that has patients who live in the European Union or you’re a legal firm with clients in the EU, you’re required to meet the new GDPR standards.
Why the GDPR Should be on Your Radar if You’re in IT:
So, what should organizations be preparing for in regards to the new GDPR requirements? Here are a few important keys to consider if you maintain information for any EU citizens:
- The GDPR requires strict adherence to individual consent while acquiring their personal details. Many of the current U.S. regulations are organization-centric and are mainly targeted at protecting an individual’s information from a security breach. The GDPR takes consent to a new level. It requires that the organizations must get an active consent from the individual before storing any of their personal details in their database.
- The GDPR includes a right to be forgotten rule worth noting. With current regulations, an individual’s record that is in the organization’s database cannot be erased simply because the person wants to. The GDPR allows individuals a right to erasure, although what must be done is not black and white.
- The GDPR emphasizes compliance, risk activities, and high-security storage. Similar to many of the current regulations, the GDPR provides strict guidelines when it comes to implementing a risk-based approach to data processing and measuring the effectiveness of privacy and security compliance controls. With the GDPR, it is mandatory for organizations to deploy adequate security, encryption, pseudonymisation, redundancy, and intrusion detection mechanisms in order to ensure that constituent data is not compromised in any way.
Is Your Organization Prepared for GDPR Enforcement?
In many ways, GDPR takes cybersecurity to a different level for certain organizations. It’s going to be just as significant, if not more, than the current industry regulations.
Making sure your organization is aligned with the data handling requirements of the GDPR before the enforcement date of May 25th is critical. In addition to familiarizing yourself with the GDPR requirements, it’s important to map those requirements to your organizational policies and procedures.
Mark Fulford, CISSP, CISA, ABCP, HITRUST, is a shareholder in the Information Security Division of LBMC with nearly 25 years of experience in information technology, audit and security. LBMC Information Security focuses on three major areas – compliance and audit services, managed security services, and security consulting – across a range of industries with a depth of knowledge in healthcare. For more information, go online to lbmcinformationsecurity.com