GDPR Overview
The General Data Protection Regulation applies to businesses within and outside the European Union that collect personal data belonging to EU citizens. The goal of the GDPR is to establish a consistent regulation for the privacy of personal data as, “rapid technological developments and globalization have brought new challenges for the protection of personal data.”
Compliance with the GDPR requires the creation and enforcement of several technical and administrative controls. Specifically, sections 2 and 3 of the GDPR require impact assessments, security controls, and notification of data breaches. Organizations must notify the authorities within 72 hours of becoming aware of a breach. The organization does not need to notify the data subject (citizen) of a breach if the organization has appropriate measures “applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”
Ignoring the compliance obligations under GDPR is not an option. Fines for breaching the regulation can be up to €20 million, or 4% of annual worldwide turnover, whichever is higher.