Chief Technology Officer/CISO
Why Do Americans care about foreign complianace standards?
Data Protection standards aren’t anything new. The General Data Protection Regulation (GDPR) we’re seeing in the news is a facelift of an existing regulatory directive (95/46EC) that’s been active in the EU since 1995. The reason it’s demanding so much attention now is that while this directive focuses on the EU, it isn’t based or enforced geographically but on the users themselves. Any company in any country may need to comply with GDPR standards if they store or process data of EU citizens.
Penalties for non-compliance are significant (4% annual revenue) and the go-live date has been announced as May 2018. The controls aren’t as defined as many existing US compliance programs (HIPAA, FIPS etc.) however the failure to meet these controls has been made clear.
If your organization has any employees, contractors, customers, or third-party partners in the EU then you need to understand your GDPR risk exposure. In some cases there is no action needed. If you do find yourself liable, necessary actions range from program/process documentation to full overhaul of critical systems and applications to prove GDPR compliance.
Below are links to two straightforward articles that go into more detail. We know the timelines and penalties for failure to comply. It’s time to know if we’re holding any data that makes us accountable to this foreign directive.