EU GDPR

In 2003 California rocked the privacy world when it passed California S.B. 1386.  This law stated that any organization that was breached and had the personal data of California residents had to notify those individuals that their data was breached. While the law was only passed in California, the law impacted any organization in the United States that handled the data of any California resident. The impact of the law has been huge as it has been the driver for so many breaches going public in the past 15 years.

GDPR is the same thing, but on a global scale. The EU General Data Protection Regulation, which goes in effect 25 May, 2018, states that any organization that handles the personally identifiable information of any living EU resident must protect that information.  If that information is breached, that organization must report the incident and notify those individuals.  This regulation replaces the current EU Data Protection Directive.  Ultimately the goal for both regulations is the same, the protection of EU personal information, however the biggest difference is the new GDPR has teeth.  Organizations have 72 hours to report when breached, and can be fined up to 4% of their global revenue, which is ALOT of money.  Many European companies have been investing resources preparing for GDPR.  My concern is most organizations outside of Europe have NOT, and they will be caught with their pants down next year (Equifax anyone?).  If you handle the data of European individuals (which you probably do and may not even realize it), GDPR applies to you, REGARDLESS of where you are located.

Need to get spun on GDPR and what it means?  SANS Instructor (and one of our top Subject Matter Experts) Ben Wright did an excellent summary of what GDPR is and what it means to you.  Also, if you are a customer of SANS Security Awareness, we already have you covered for your awareness program.  Want to learn even more about GDPR and how it applies to awareness?  Join us for the EU Security Awareness Summit 6/7 December where some of the world's top experts, including Brian Honan, will be speaking on just this topic.

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.