Four years after its introduction, the European
Commission has recently come to agreement on
the General Data Protection Regulation (GDPR) as
organizations around the globe await the details,
which should be released soon.
Often described as “fit for a digital age” by its
supporters in Brussels, Belgium, the legislation
aims to put users in control of their data and
harmonize the rules under which private data may
be obtained or retained across the 28-nation bloc.
The GDPR updates the antiquated 1995 privacy
regulation, drafted three years before the founding
of Google. In an effort to keep up with technology
and address privacy issues important to the
European community, the European Parliament
came to agreement on the European Union (EU)
data protection law in December 2015, with details
to be released in the near future and to become
enforceable in 2018.
Because this new legislation declares itself
applicable to any organization that makes its
goods or services available to any part of the EU,
it takes little imagination to understand its reach
and scope. GDPR is not merely a new version of
the 1995 legislation, but a revolutionary new rule
set that organizations will need to quickly
understand, adopt and comply with or face
significant financial consequences.
The fundamental aim of the new regulation is to put
users in control of what is stored about them online.
“The new rules will give users back the right to decide
on their own private data,” says Parliament’s lead
member of European Parliament (MEP), Jan Philipp
1 One prominent feature of the new legislation
extends the popular right to be forgotten, a rule active
in the EU since 2006, which allows users to demand
deletion of their photographs, videos or personal
information from any Internet records that allow them
to be found by search engines. The right was initially
implemented for search engines, but it has now been
extended to all web services, including social media
sites such as Facebook.
The right to know you have been hacked is a popular
component of the GDPR and requires organizations
to report to a central authority within 72 hours any
data breaches that pose a risk to data owners. Users
subject to high-risk breaches are also required to be
notified as soon as possible, although the ambiguity
of this language causes some to be skeptical of the
Critics of the new data-protection regulation take
aim at a number of its clauses. One of the most
controversial aspects is in the punishment for
noncompliance—organizations face fines of up
to 4 percent of their annual global revenue for not
complying with any part of the GDPR. “Such high
sanctions dis-incentivize business and investment,”
says Intel’s global privacy officer David Hoffman.
Skeptics are already calling the regulation the latest
Silicon Valley shakedown and say it is escalating
conflict with technology giants such as Google,
Facebook and Microsoft.
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
article and click on
the Comments link to
share your thoughts.
Michael Vanderpool, CISA, CISSP
Is an IT auditor with Credit Suisse, based in the city of Wroclaw, Poland.
His more than 12 years in information technology experience has been
mostly with information security, risk and compliance. With a background
in the technology and financial sectors, Vanderpool has performed a
variety of IT risk assessments, audits and control reviews for international
corporations and banks while utilizing international frameworks such as
COBIT®, COSO and ISO 27001. Prior to joining Credit Suisse, Vanderpool
worked for UBS and IBM.
feature feature The Complexity Is in the Details
New EU Data Protection Law Promises User Control