GDPR’s impact will be felt. Rest assured, the export
regime will make sure of that. Companies meeting
these definitions will be forced to comply or abandon
any opportunity to engage with the significant
audience of EU customers. Stiff penalties for
noncompliance include fines greater than € 20 million,
or approximately US $23 million, and 4 percent of the
company’s global revenue.
Although companies of all sizes will be challenged,
the GDPR most significantly impacts global
companies with a broad international presence.
These challenges arise from companies having
to expand the scope of already very complex IT
landscapes and from the cross-border transmission
of personal data.
Turning Cost Into Value
Usually, any compliance is perceived as a cost.
Effective companies and their leaders successfully
generate value for businesses and their customers
by designing and deploying responsive data privacy
and compliance programs.
For example, the leading global energy management
and automation provider proposed three major
objectives for its worldwide personal data protection
1. Put the US $1.2 billion risk of breaching personal
data protection regulations4 under control in the EU
and other countries where the company operates.
Do you have
to say about
Visit the Journal
pages of the ISACA®
web site ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.
On 4 May 2016, after four years in the making,
the European Union (EU) General Data Protection
Regulation (GDPR) was published in the Official
Journal of the European Union1 and officially set
an application date. 2 While the regulation entered
into force on 24 May 2016, it applies going forward
beginning on 25 May 2018. The GDPR is working
in conjunction with, and expanding upon, the EU
Directive regarding the processing of personal data
to achieve the common goals of personal data
protection, crime investigation and prosecution. This
partnership is unveiling sweeping updates to data
protection rules of which the world has not seen the
likes in more than 20 years.
The vast majority of respondents (84 percent)
indicated that they anticipate that the GDPR
will impact their organization. 3
The new GDPR, put forth by the European
Commission in 2012 and generally agreed upon
by the European Parliament and Council in
December of that same year, is set to replace Data
Protection Directive 95/46/EC. Over the past four
years, proactive companies have implemented
the necessary privacy processes and procedures
that comply with Directive 95/46/EC. Companies
will need to do the same once again for the new
protections for EU data subjects when the GDPR
begins to be enforced. Substantial fines and
penalties will be imposed on companies with
noncompliant data controllers and processors.
The impact of this new regulation is completely
pervasive. Companies with more than 250 employees
that process personal data of EU citizens will be
subject to the GDPR. Not only that, but GDPR applies
to all private sector personal data processing by
organizations of the EU and organizations outside
the EU that target EU residents. Wherever such
organizations transfer personal data to the EU, the
Ilya Kabanov, Ph.D.
Is an information technology expert with 15 years of experience in
enterprise IT. He has held leading transformation roles in IT strategy,
technology project management, security and data privacy in companies
ranging from a successful start-up to a global US $36 billion enterprise.
Currently, Kabanov provides leadership to a global applications security
and personal data privacy compliance initiative for a top global energy
management and automation provider. In 2013, Kommersant Magazine
recognized him as Russia’s best chief information officer in the logistics
and transportation industry. Kabanov is a member of the Institute
of Electrical and Electronics Engineers and the International
Association of Privacy Professionals and serves as a judge at the
MIT Sloan CIO Symposium.
Disponible également en français
feature feature Delivering Personal Data
Protection Compliance on a