Two years after the EU created its General Data Protection Regulation, on Friday the EU's 28 member states began enforcing the privacy law.
But don't fixate on May 25 being the enforcement start date. "It's not an absolute deadline; it's the start of a new journey in the privacy regulations and environment within the EU and indeed, due to the nature of GDPR, globally as a well," says Brian Honan, who heads BH Consulting, a Dublin-based cybersecurity consultancy that has been helping organizations achieve GDPR compliance.
GDPR requires all organizations that store Europeans' data to do so securely, as well as in an accountable and transparent manner (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
So what happens to organizations that must comply with GDPR but have yet to do so, despite the two-year head warning? Under GDPR, EU data protection watchdogs can impose fines of up to 4 percent of an organization's annual profits or €20 million ($23 million), whichever is greater.
Focus on Compliance, Not Fines
In an interview with Information Security Media Group, Honan says such organizations should work to demonstrate how they are actively working toward achieving - or better still, maintaining - their GDPR compliance.
"Forget about all the fines and punishment stuff - that's just the headline stuff that vendors want you to pay attention to, to scare you into buying their products and services," Honan says. "The key thing that the regulatory authorities will look for is transparency and accountability and that you can demonstrate that you have started your journey, that you're taking this thing seriously, that you have the adequate resources to your project, and okay even if you haven't finished, that at least you have a plan of action and you're on that plan already."
GDPR Compliance Essentials
In this interview (see audio link below photo), Honan also discusses:
- Accountability: "Are you keeping a record and a track of all the decisions you've made, and why you're doing things the way you're doing it?"
- Transparency: "Are you being transparent with your data subjects as to how you're managing their data, how you're protecting it, what you're doing with that data?"
- Enforcement: How have regulators - including Ireland's data protection commissioner, who oversees many technology giants' European operations - indicated they will move forward?
Honan is the founder and CEO of BH Consulting and the founder of Ireland's first computer emergency response team, IRISS-CERT. He's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.