Navigating compliance is quickly becoming a major cyber risk pain-points for businesses. New regulations around cybersecurity and privacy, like the NY-DFS 500, are burdening businesses with complex requirements for compliance. The new European Union General Data Privacy Regulation (GDPR), taking effect this May, will make meeting compliance even more challenging.
The GDPR is the most significant overhaul of global privacy law in the last 20 years, requiring every business that collects, processes, or stores the personal data (PII) of individuals in the European Union (EU) to follow strict data protection compliance standards, regardless of where a company is located. Noncompliance could bring significant fines of up to 4% of total global turnover or €20 million.
The GDPR places people in control of their personally identifiable information (PII) and holds companies accountable for ensuring data privacy. Every third-party system used to store and transfer PII data will be subject to the GDPR. The most challenging aspect of GDPR is consent, including demonstrable proof that data has been expunged (also known as the “right to be forgotten”). In the event of PII data loss or exposure, companies must report breaches to a designated supervisory authority and notify PII-owners within 72 hours of an incident.
In short, the GDPR puts all accountability for PII protection on the data holders, data processors, and service providers. Firms will have to manage a new layer of risk associated with GDPR compliance and balance GDPR risk mitigation within the context of their existing cybersecurity and/or compliance program.