GDPR: Ready or Not, Here it Comes
By Michael Corcione, Managing Director, Cybersecurity and Data Protection Consulting Services, Cordium
The incoming General Data Protection Regulation may be an EU initiative, but it is having a worldwide impact. The new rules have a significant extraterritorial
Investment firms that are not already preparing for these new rules need to put a program in place urgently. GDPR goes live in May 2018 – and punishment for non-compliance will be severe, with fines of up to €20 million or 4% of annual turnover.
GDPR contains a tough set of data privacy and security requirements – spanning 99 articles and 173 recitals. This provides an enormous amount of regulatory detail, but key requirements include:
UK-based firms should review their existing information security and data protection framework with a view to GDPR compliance – the government has confirmed that this will be implemented in spite of Brexit. Although the GDPR builds on a pre-existing legislation, many elements are new and it is a regulation, not a directive.
Firms need to perform a readiness assessment – a process that will tease out the “real world” requirements which align with the specific articles for GDPR. The completed assessment will gener
Investment firms not within the EU need to review whether or not they fall under the GDPR – if they market products to EU citizens then the chances are that they probably do. The good news is that in some jurisdictions, such as the US, firms that are compliant with existing data protection regimes – such as ISO 27001 or the National Institute of Standards and Technology (NIST) framework – should already have made some progress towards GDPR compliance. However, firms still need to perform a gap analysis to understand the areas in which they need to implement additional policies, procedures, and controls.
All firms who need to comply with the GDPR – no matter where they are located – should consider incorporating its requirements into their overall information and cyber security strategy. By doing this, the firm will benefit from tighter data controls, operations, and a stronger information and cyber security program. The new regulation can provide the internal momentum for investment in key tools and solutions that will not just deliver compliance, but also strategic value for the organization overall.
Approximately a third of firms require substantial changes to their data security practices.
Only 1 in 50 firms have finished their preparations.
Outsourcing regulatory responsibility is not an option.
Fewer than one in ten are prepared for the EU regulation's May deadline.
The short code provides a secure data repository for personal information.