General Data Protection Regulation: an EU requirement?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

The General Data Protection Regulation requires businesses to protect the personal data and privacy of European Union citizens for transactions that occur within EU member states. Adopted by the EU in 2016, this major change in data privacy regulation will be enforced starting May 25. Non-compliance could cost companies dearly.

On this episode of CyberChat, host Sean Kelley, former chief information security officer at the Environmental Protection agency, is joined by Greg Cranley, vice president of Federal and U.S. Public Sector Sales at Centrify.

Advertisement

GDPR’s biggest change is its extended jurisdiction. According to EUGDPR.org, the new law applies to “all companies processing the personal data of subjects residing in the EU, regardless of the company’s location.”

Cranley says this is much different from the Health Insurance Portability and Accountability Act protections in the U.S. “[GDPR] strengthens the privacy rights of individuals. With a lot of compliances in the States, such as HIPAA, there aren’t really any rights [for the individual]. It’s an expectation that [the health care provider] will take care of your healthcare data.” But Cranley said it’s no guarantee.

“When it comes to data collection, the companies collecting the data [aren’t] necessarily the concern. The concern comes when the data breach happens,” Cranley said. He added people should be aware that majority of data breaches happens through stolen identities. “According to a recent survey published in New York Times, most CEOs believe malware is the biggest cause of breaches, which is not true.”

As the deadline for compliance for GDPR approaches, Cranley said many companies will be struggling. “The requirements are pretty strong and strict.” If companies are found not in compliance, they can be fined up to £20 million or 4 percent of gross profit for non-compliance.

Top Takeaways:

  1. GDPR strengthens the privacy rights of individuals
  2. GDPR is far more extensive than most U.S. privacy laws
  3. Most CEOs believe malware causes breaches, not stolen identities
  4. Many companies will struggle to make the May 25 GDPR compliance deadline