
Understanding GDPR
The Security Leader’s (Really Concise) Primer
As the effective date for the GDPR nears, information security leaders seek guidance about this new regulation. Though there’s much to discuss when it comes to GDPR compliance, the following short primer to answer some of your most basic questions.
1. What the heck is GDPR?
The GDPR (General Data Protection Regulation) is a regulation enacted by the European Union (EU) in 2016. This new rule serves many purposes, though in short, GDPR:
- Repeals the 1995 Data Protection Directive, and addresses certain hurdles impeding economic growth for the EU by harmonizing data protection regimes across EU member countries and simplifying compliance and enforcement ;
- Focuses on balancing fundamental human rights and freedoms for “natural persons” who are in the EU, with the objectives of the EU’s Digital Single Market strategy;
- Strengthens protections for individuals via enhanced requirements for data privacy risk assessments, notice, choice, consent, data portability, right-to-be-forgotten and breach notification, among others;
- Adapts to technological developments that emerged in years past the enactment of the Data Protection Directive;
- Clarifies obligations for both data controllers and data processors (i.e., the organizations which process personal data and/or provide the means for processing personal data); and
- Enacts a new penalty structure that includes administrative fines of up to 4% worldwide revenue for certain violators (Yikes!).
2. Why is everyone talking about GDPR now?
The effective date for GDPR is 25 May 2018, less than a year away. Many organizations recognize that implementation activities must begin today to be compliant with GDPR’s mandates.
3. Isn’t GDPR a legal thing? Why can’t the lawyers handle this?
Legal professionals play a critical role by helping interpret GDPR compliance obligations, establishing policy and defending our organizations in the event of GDPR-related enforcement actions. Attorneys may not however, be called upon to assist organizations with the implementation of controls and processes in support of GDPR compliance. Many key functions have a role to play in deploying GDPR controls and processes, including of course, information security.
4. Who typically leads GDPR readiness efforts?
For organizations that have a Chief/Data Privacy Officer (C/DPO) in place, this person will often be tapped to lead GDPR readiness efforts. Otherwise, organizations choose a leader that reflects the culture of the organization. Firms that view GDPR as chiefly a legal liability are likely to appoint General Counsel or the Chief Compliance Officer (CCO) to lead implementation efforts. For those who see GDPR as material factor in marketing and sales initiatives, the Chief Operating Officer (COO) or Chief Marketing Officer (CMO) will lead. Some firms see GDPR as an issue closely aligned to IT, and thus will appoint the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to oversee readiness efforts. Since GDPR crosses many organizational functions, whoever leads readiness efforts must have the authority to affect change throughout the firm.
5. Does GDPR define specific things that security leaders need to do?
Like most laws and regulations, the GDPR does not go into many specifics about the types of information security solutions required for compliance. Luckily for organizations with a security leader in place, there is a strong possibility that the firm already has many of the basic information security controls requirements in place. In these scenarios, security leaders should, at a minimum, conduct a gap assessment to ensure that existing controls meet GDPR standards.
Smaller firms that lack formalized controls may discover that they must implement new information security processes and technologies to comply with GDPR. These firms often call on qualified outside experts to help ensure that the adoption of new GDPR-supportive controls is reasonable, appropriate and economical.
It may be helpful to parse the sections of GDPR into logical chunks to identify potential areas where information security is involved. For the benefit of our readers, we provide a worksheet to get you started.

6. Where should I start in my GDPR preparations?
First and foremost, organizations should seek an understanding of whether GDPR applies to their business operations. For many, this is when a lawyer comes in handy. S/he can provide the legal advice needed to decide whether to move forward on GDPR readiness.
Since GDPR crosses many organizational functions, whoever leads readiness efforts must have the authority to affect change throughout the firm.
Assuming that GDPR does apply, we suggest that organizations begin by identifying the scope the regulation within their operations. By fencing off the functions and processes in-scope, firms can minimize the disruptions created when implementing new or enhanced controls. Part of this scoping work includes identification of the personal data and sensitive personal data that fall into regulatory purview. Following this stage, the firm should conduct a comprehensive gap or risk assessment, aligned with the requirements of GDPR. Only after completing these first two stages should an organization develop a strategy for addressing potential gaps in GDPR compliance.
7. How Does the Privacy Shield Program Relate to GDPR?
One of the key tenets of GDPR’s data protection requirements relates to cross-border flows of personal data. The basic thrust of this requirement is that transfers (out of the EU to third countries) of personal data are permitted only when the receiving third country provides assurances that it enforces an “adequate” level of data protection, generally consistent with GDPR’s standards. A special commission is responsible for making such adequacy determinations.
One such adequacy agreement is between the EU and the US, embodied in the Privacy Shield Framework (previously called Safe Harbor). Privacy Shield enables US-based organizations to self-certify compliance with and a public commitment to the Framework as a requirement for transferring personal data from the EU to the US. Many firms — especially small and mid-sized businesses — find self-certification to Privacy Shield’s requirements preferable to other available options for complying with GDPR standards. Naturally, the decision to choose the Privacy Shield route should be informed by advice and guidance from legal professionals and/or data privacy experts.

SDS’ experienced data privacy and security professionals stand ready to assist your organization as you prepare for GDPR. Choosing a knowledgeable advisor will help ensure that your efforts have maximum impact, even with limited budgets and resources. Contact Secure Digital Solutions today to learn more!
