Skip to content

What is it?

A European Union regulation designed to give people more control over their personal data and to define how organizations must process such data.

Why is it important?

The GDPR expands the scope of data protection globally. This is important because it applies to many more organizations than previous regulations. In particular, the GDPR applies to any entity that has an establishment (any place of business) in the European Union and collects or processes personal data about any person in the world. And it applies to any entity that collects or processes personal data from a person in the European Union, regardless of where that entity is based.

Why does a business professional need to know this?

The EU GDPR is the most significant change in data privacy regulation in the European Union since 1995(EU GDPR). It affects the overall risk and security management processes of any company that collects or processes information from a person in the European Union. Business professionals worldwide, not just in the EU, need to deal with the GDPR.

Key elements of the GDPR, which became effective in May 2018, include the following:

  • Territorial scope: GDPR applies to all companies in the EU and overseas that do business with citizens of the EU, regardless of whether their data processing occurs in the EU or elsewhere.
  • Penalties: Organizations that breach the GDPR can be fined up to the greater of 4% of annual global turnover or €20 Million.
  • Consent: The GDPR requires terms and conditions related to personal data to be clear and free of unintelligible terms and legalese.
  • Data breach notification: Any breach must be reported to authorities within 72 hours.
  • Right to access: Consumers have the right to know what their data is being used for and to receive a copy of their data.
  • Right to be forgotten: Also known as the right to erasure, this says that consumers may request that their data be erased. This right comes with some qualifications.
  • Data portability: Consumers can access their data and send it to another company, again with some qualifications.
  • Data Protection Officers and Privacy Impact Assessment: Organizations that engage in large-scale monitoring or processing of sensitive personal data, or which are public authorities, must have a single person responsible for compliance.

The GDPR represents a major change to the way that personal data must be handled. All companies, worldwide, should look closely at their operations; there are provisions in the GDPR that, if not carefully followed, could lead to steep fines. All organizations need to conduct a comprehensive audit to ensure that they collect, store, manage, and use personal data in accordance with the GDPR.

References

About Regine Bonneau

Photo of Regine Bonneau

Regine Bonneau is a leading expert on cybersecurity, governance, risk management, and compliance. Her career spans 20 years with a focus on technology and processes in the healthcare, financial, legal, and energy sectors. Ms. Bonneau is the founder of RB Advisory, LLC, which provides cyber risk management, security assessments, compliance services, forensic audits, and privacy consultations for private-sector and government clients. She is a sought-after speaker and holds leadership roles in several technology industry associations. 

Term: General Data Protection Regulation (GDPR)

Email: rbonneau@rbadvisoryllc.com

Website: rbadvisoryllc.com

Twitter: @luderbonneau

LinkedIn: linkedin.com/in/regine-bonneau-ctprp-22500824

Facebook: facebook.com/regine.bonneau.5

What is it?

A prescriptive information security standard designed to protect the confidentiality of credit and debit card data.

Why is it important?

All organizations that store, process, or transmit payment card data typically have a contractual requirement to comply with PCI DSS. Some countries and US states also mandate PCI DSS compliance by law(PCI-DSS standard).

...continue reading "Term of the Week: Payment Card Industry Data Security Standard (PCI DSS)"

What is it?

A set of guidelines designed to protect an organization’s information security, safeguarding the standards of confidentiality, integrity, and availability (CIA).

Why is it important?

Controls are important because without them, an organization has no guidelines for protecting information and assets.

...continue reading "Term of the Week: Controls"

What is it?

The concept that individuals own all of their personal information and have sole authority over who should have access to their information and how, when, and where it can be distributed.

Why is it important?

All organizations that deal with private health information in the US must abide by the Health Insurance Portability and Accountability Act (HIPAA)(HIPAA). In addition, the European Union’s General Data Protection Regulation (GDPR) legislation affects all organizations that deal with people in the European Union, regardless of where the organization is based. To abide by the law and to respond to customer needs, business professionals must take privacy seriously.

...continue reading "Term of the Week: Privacy"

What is it?

A set of rules, usually backed by a legal mandate, that control an activity or environment and provide a means for compliance to be inspected and enforced.

Why is it important?

The internet is an ever-changing environment where the rules are constantly being amended and updated as new technologies emerge. Regulations attempt to control the technological environment and the human behavior associated with it.

...continue reading "Term of the Week: Regulation"

What is it?

A common set of rules designed to ensure interoperability between different products, systems, and organizations.

Why is it important?

Standards provide stable, long-term guidelines that products can be validated against to ensure they will operate correctly and securely with other products that adhere to the same standard. Standards reflect the best practices of experienced cybersecurity professionals.

...continue reading "Term of the Week: Standards"

What is it?

A set of mandatory requirements that apply to specific areas of an organization’s operations, including cybersecurity.

Why is it important?

Policies are important because they define the strategic intent for rules, regulations, protocols, and procedures that the organization or industry implement.

...continue reading "Term of the Week: Policy"

What is it?

A strategy that helps reduce fraud and error by assigning two or more parts of a transaction to separate individuals. For example, the same person should not be able to enter an invoice then approve payment.

Why is it important?

Separation of duties (SoD) (also known as segregation of duties) prevents the same person from performing two or more parts of a transaction that would be susceptible to error or fraud if performed by one person. Fraud perpetrated through the lack of internal controls can lead to the loss of money, reputation, and market share as well as risking fines from regulators and, perhaps ultimately, shutdown of the organization.

...continue reading "Term of the Week: Separation of Duties"

What is it?

An assurance that information can be requested by and delivered to authorized individuals whenever required.

Why is it important?

Availability is part of the confidentiality, integrity, and availability (CIA) security triad. Even if information is kept confidential and has integrity, it still must be available so that authorized individuals can access the information in a reasonable period of time.

Why does a business professional need to know this?

A business professional needs to understand availability because it constitutes one leg of the confidentiality, integrity, availability (CIA) security triad, which is the foundation of secure information in cybersecurity.

Your efforts to secure your systems and data mean nothing if that data is not available to authorized users (individuals or other systems). Availability can be compromised by malicious individuals or by accident in many ways, including the following:

  • Distributed Denial of Service (DDoS) attacks, which attempt to slow down or crash systems by flooding a system with requests from many different systems
  • Malicious software that either crashes or slows down a system
  • System slow downs or crashes caused by malicious insiders or human error
  • Unexpectedly high volume of legitimate requests (e.g., a popular item goes on sale)

To help ensure availability, organizations need to plan for peak usage, for example by using load balancing and fail-over strategies. They also need to follow best practices for creating a strong cybersecurity defense. These include vulnerability assessments, business continuity planning, and incident response planning.

While these practices are not inexpensive, consider the loss in sales and productivity if your systems and data were to become unavailable for an extended period of time.

About Michael Moorman

Photo of Michael Moorman

Michael Moorman has been a full-time faculty member at Saint Leo University for 27 years, teaching computer information systems, computer science, and cybersecurity courses. He is a member of the IEEE Computer Society, a senior member of the ACM, and a Certified Information Systems Security Professional (CISSP). Prior to earning his doctorate and becoming a professor, he served in the US Air Force as a pilot and engineer.

Term: Availability

Email: Michael.Moorman@saintleo.edu

What is it?

An assurance that information remains unaltered from its intended state as it is produced, transmitted, stored, and received. Ensuring integrity may include ensuring the non-repudiation and authenticity of information as well.

Why is it important?

Integrity is considered by many to be the most important element of the confidentiality, integrity, and availability (CIA) security triad. Any system that is otherwise available and confidential can still be rendered useless if a user cannot be confident that the information it contains is trustworthy, accurate, and complete.

...continue reading "Term of the Week: Integrity"