The General Data Protection Regulation, GDPR, is the new personal data protection regulation affecting EU countries. It came into force in May 2016 and member countries now have a two-year grace period to bring their own legislation into line with it.
At the moment there are several attention-grabbing GDPR aspects.
First of all the bombardment we are currently being subjected to by the industry. Every Monday and every Tuesday a new pundit report “rains down from the skies” or a whole slew of recommendations for tackling the “Journey to GDPR” (remember the “Journey to the Cloud”?). Even IBM is running a GDPR countdown on its dedicated GDPR page. It’s the Final Countdown!
Secondly, all informed opinion agrees there are two key aspects the world needs to gird its loins for or buck against, as the case may be: a) breach notification and b) data sharing. The general reaction can be divided into two camps; those who think this will be very difficult and those who have no intention of doing so. Negative in either case, so rivers of ink are likely to flow up to May 2018, the cut-off time for implementing the Directive in all countries.
Thirdly, the fines. In the Spanish case it seems that the maximum €600,000 fine for a breach of the Spanish Data Protection Act (LOPD) has not been “daunting” enough to deter breaches, at least for big organizations (a SME would go under). But the GDPR weighs in with a massive fine of up to €20 million or 4% of the turnover, whichever is greater, aimed precisely at the major organizations. The European Commission has a long track record of swinging fines on big multinationals (especially technological firms: Intel, Microsoft, Google, Amazon, Apple…) so any firm that doesn’t take this seriously may be in for a broadside.
Lastly, there is an eyecatching amount of cybersecurity laws and regulations that will affect Spanish and European organizations in the short term, especially in some sectors. The GDPR has already been officially twinned with the Network and Information Security (NIS) Directive, and the NIS Directive in Spain is soon to be officially twinned with Spain’s Critical Infrastructure Protection Law (PIC in Spanish initials). And the financial sector, one of the key cybersecurity stakeholders, is affected by the former, by the legislation of the European Central Bank, the PCI and others. We firmly believe that cybersecurity laws and regulations benefit organizations and boost the sector as a whole, although we also sense a certain regulation overkill, so the rather weary reaction to the GDPR might well be “yet another law to obey; I’ll deal with that when it comes to it”.
The GDPR scenario is fairly familiar to companies like GMV. It is not the first (neither will it be the last) law and regulation to be tackled, both on our own account and to help our clients. The Spanish Data Protection Act (Ley Orgánica de Protección de Datos: LOPD), the Critical Infrastructure Protection Law (PIC), the National Security Scheme (Esquema Nacional de Seguridad: ENS), PCI (Payment Card Industry), NERC, … are examples of totally consolidated laws and regulations for which have helped to set up plans to bring current legislation into line, implement the required cybersecurity measures and demonstrate compliance afterwards. The GDPR calls for the appointment of a Data Protection Officer (DPO), who is bound to take on a review of the organization’s current data-protection arrangements, set up a compliance roadmap, drive cybersecurity projects, flag incidents, manage activity on a daily basis…, he or she is going to be pretty busy. GMV intends to help the DPO and his or her organization find their feet in all these newly assigned remits.
Author: Javier Zubieta Moreno
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV