EU GDPR

In 2003 California rocked the privacy world when it passed California S.B. 1386.  This law stated that any organization that was breached and had the personal data of California residents had to notify those individuals that their data was breached. While the law was only passed in California, the law impacted any organization in the United States that handled the data of any California resident. The impact of the law has been huge as it has been the driver for so many breaches going public in the past 15 years.

GDPR is the same thing, but on a global scale. The EU General Data Protection Regulation, which goes in effect 25 May, 2018, states that any organization that handles the personally identifiable information of any living EU resident must protect that information.  If that information is breached, that organization must report the incident and notify those individuals.  This regulation replaces the current EU Data Protection Directive.  Ultimately the goal for both regulations is the same, the protection of EU personal information, however the biggest difference is the new GDPR has teeth.  Organizations have 72 hours to report when breached, and can be fined up to 4% of their global revenue, which is ALOT of money.  Many European companies have been investing resources preparing for GDPR.  My concern is most organizations outside of Europe have NOT, and they will be caught with their pants down next year (Equifax anyone?).  If you handle the data of European individuals (which you probably do and may not even realize it), GDPR applies to you, REGARDLESS of where you are located.

Need to get spun on GDPR and what it means?  SANS Instructor (and one of our top Subject Matter Experts) Ben Wright did an excellent summary of what GDPR is and what it means to you.  Also, if you are a customer of SANS Security Awareness, we already have you covered for your awareness program.  Want to learn even more about GDPR and how it applies to awareness?  Join us for the EU Security Awareness Summit 6/7 December where some of the world's top experts, including Brian Honan, will be speaking on just this topic.

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.