What The Board Needs To Know About the GDPR

Bob Gourley May 9, 2018

Executives in businesses around the globe have been tracking The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect 25 May 2018. Those who operate primarily in the EU have had plenty of time to focus on this and no excuses for not paying attention. Those who operate primarily elsewhere also have no excuse to not be aware of the GDPR and should have already assessed how things should change because of these new rules. We have found, however, that many firms in the EU and the US and elsewhere are still not paying enough attention to these very serious rules. Admittedly our sample size is small and this may not be reflective of the majority of firms, but we have seen indications that many firms are adopting a strategy of putting their collective head’s in the sand or not really doing a serious assessment of the potential impact of GDPR on the firm.

The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonize many different rules active across Europe and this should make overall compliance easier. But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data. Remember, the GDPR is not just about firms that operate in the EU. It applies to firms that have data on EU citizens. The GDPR requires that to collect info on EU citizens, the citizens must give their consent and the citizen also has the right to be forgotten. The data it applies to is broad, including even IP addresses.

At this point, just 20 days away from the compliance deadline, we recommend all firms do three things:

Read the rules yourself. They are not that hard to read and think about
Consult outside counsel. Pick a law firm you know and trust and ensure they have knowledge of the GDPR. Ask us if you need some recommendations.
Seek an external review of your technical architectures for compliance. Our firm, Crucial Point, is a good place to start here.

We recommend that boards (including Audit Committees for those that have them) should evaluate their company’s data retention activities and policies to see if they are in need of modification to comply. Boards should ask CEOs and the management team to assess where exposure to GDPR non compliance is greatest and prioritize actions to fix. Boards should ask questions to determine if line of business leaders realize they are responsible for compliance vice just assuming this is an IT function. And boards should know who the Data Protection Officer (DPO) is for the firm.

Here is more on the GDPR:

Fines for non-compliance are up to 4% of annual revenues.
Customers must consent for processing of their data
Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
Data protections are expected to be designed into systems
If there is a breach of personal information, the citizen will be notified and impact assessments done
Transfer of data to other countries and organizations is regulated
Companies are expected to maintain a state of the art cybersecurity architecture and posture

We can accelerate your compliance with GDPR and do so in a way that helps your security posture. Contact us today and see if we can help you accelerate your compliance.

Additional reading:

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

Share this:

Related

About Bob Gourley

More Content

Cyber War

SciFi