Is your company based in the US and also operating in the EU? There are things you MUST learn about the Global Data Protection Regulation (GDPR) - this law, which goes into effect May 25, 2018 - will have an impact on your business. This expert webinar will help you prepare for what's ahead.
Register and Watch
How familiar are you with the GDPR?
How far along are you in your GDPR planning?
HERE ARE SOME ANSWERS TO QUESTIONS RAISED DURING THE WEBINAR FOR WHICH WE WERE UNABLE TO ADDRESS DURING THE LIVE SESSION
Question: Could you suggest some of baseline security controls can be used to comply with GDPR as Data Controller?
Wamsley: Unfortunately, there isn’t really a one-size-fits-all standard that we can look to for a quick answer here. Depending on your organization, you could look to the multitude of existing applicable standards as a starting point. A great place to start is ISO 27001 and also look to the NIST Cybersecurity Framework for guidance on most of the aspects of a mature security organization that you should be thinking about. Wherever you start though, it is critical to remember that as Data Controller, you will be responsible for your third party contractors so you will need to enhance your focus on your third party ecosystem security.
Question: To what extent do you think US-based companies will pull out of doing business in the EU given the costs of achieving compliance and the monetary risks of non-compliance?
Kost: Clearly, a business will weigh the cost to do business in the EU within GDPR requirements with the associated gains. It is still unclear of the costs to achieve compliance with GDPR requirements and thus would not expect to see many companies choosing to do so at this time. There are many other regulatory requirements that US companies face that will drive them to put in place processes and procedures to get them closer to the requirements to achieve GDPR compliance. Choosing to not do business in the EU does not excuse most companies from taking steps for privacy and data security.
Question: Do you see Internet businesses excluding access to EU citizens?
Wamsley: Not in any large numbers. We may see some organizations segment their infrastructure to keep EU citizen data separate from US citizen data but, in today’s global economy, I can’t foresee companies purposefully excluding EU citizens from their market. Overall, I don’t think this will really happen in any meaningful way.
Question: Can someone discuss non-compliance penalties?
Wamsley: While we touched on this during the webinar, there are a lot of details that we couldn’t get into. On September 25, I will be publishing a guide on GDPR enforcement, including penalties and audit provisions at:
The requirements that GDPR places on organizations are wide-ranging and will impact everything from the people in the organization, to the processes and policies guiding the organization, straight through to the technology running the business. But before you can even begin to address the GDPR you need to be able to control your data. The first step in this process is knowing precisely what data you have and putting processes and tools in place to help you expose the data you don’t know you have.
The experts on this panel will discuss and explore the following points:
- What is the Global Data Protection Regulation?
- How does it compare to other security and privacy regulations?
- How does it compete with other security and privacy regulations?
- Who does it impact and why?
- What are some of the common misconceptions organizations have?
- What do organizations need to be aware of as they approach their compliance program?
- What things are often forgotten when organizations put together their compliance program?
There are a number of resources provided by the panelists, each of which can be accessed via the recorded webinar. Here's a collection of even more resources to help with your understanding, planning and implementation.