ISACA Journal - 2016 Volume 6

GDPR’s impact will be felt. Rest assured, the export regime will make sure of that. Companies meeting these definitions will be forced to comply or abandon any opportunity to engage with the significant audience of EU customers. Stiff penalties for noncompliance include fines greater than € 20 million, or approximately US $23 million, and 4 percent of the company’s global revenue.

Although companies of all sizes will be challenged, the GDPR most significantly impacts global companies with a broad international presence.

These challenges arise from companies having to expand the scope of already very complex IT landscapes and from the cross-border transmission of personal data.

Turning Cost Into Value

Usually, any compliance is perceived as a cost.

Effective companies and their leaders successfully generate value for businesses and their customers by designing and deploying responsive data privacy and compliance programs.

For example, the leading global energy management and automation provider proposed three major objectives for its worldwide personal data protection compliance initiative:

1. Put the US $1.2 billion risk of breaching personal data protection regulations4 under control in the EU and other countries where the company operates.

Do you have something to say about this article?

Visit the Journal pages of the ISACA® web site ( www.isaca. org/journal), find the article and click on the Comments link to share your thoughts.

On 4 May 2016, after four years in the making, the European Union (EU) General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union1 and officially set an application date. 2 While the regulation entered into force on 24 May 2016, it applies going forward beginning on 25 May 2018. The GDPR is working in conjunction with, and expanding upon, the EU Directive regarding the processing of personal data to achieve the common goals of personal data protection, crime investigation and prosecution. This partnership is unveiling sweeping updates to data protection rules of which the world has not seen the likes in more than 20 years.

The vast majority of respondents (84 percent) indicated that they anticipate that the GDPR will impact their organization. 3

The new GDPR, put forth by the European Commission in 2012 and generally agreed upon by the European Parliament and Council in December of that same year, is set to replace Data Protection Directive 95/46/EC. Over the past four years, proactive companies have implemented the necessary privacy processes and procedures that comply with Directive 95/46/EC. Companies will need to do the same once again for the new protections for EU data subjects when the GDPR begins to be enforced. Substantial fines and penalties will be imposed on companies with noncompliant data controllers and processors.

The impact of this new regulation is completely pervasive. Companies with more than 250 employees that process personal data of EU citizens will be subject to the GDPR. Not only that, but GDPR applies to all private sector personal data processing by organizations of the EU and organizations outside the EU that target EU residents. Wherever such organizations transfer personal data to the EU, the

Ilya Kabanov, Ph.D.

Is an information technology expert with 15 years of experience in enterprise IT. He has held leading transformation roles in IT strategy, technology project management, security and data privacy in companies ranging from a successful start-up to a global US $36 billion enterprise.

Currently, Kabanov provides leadership to a global applications security and personal data privacy compliance initiative for a top global energy management and automation provider. In 2013, Kommersant Magazine recognized him as Russia’s best chief information officer in the logistics and transportation industry. Kabanov is a member of the Institute of Electrical and Electronics Engineers and the International Association of Privacy Professionals and serves as a judge at the MIT Sloan CIO Symposium.