This Backgrounder highlights the key themes of the GDPR to help you understand the new EU regulation. On 25th May, 2018, the EU General Data Protection Regulation (GDPR) will be enforced. The goal of this legislation is to provide a strong, unified data protection framework across all EU member states. The GDPR is devoted to individuals’ privacy rights and the organisational controls required to protect those rights.

1. T: 0333 234 4288 W: www.networkiq.co.uk E: info@networkiq.co.uk
GDPR Backgrounder
The General Data Protection Regulation is a compliance mandate
with potential fines for mishandling of personal data. A great deal
of the legislation is devoted to individuals’ privacy rights and the
organisational controls required to protect those rights. GDPR isn’t
just for companies in the EU. It applies to any organisation that
collects and uses personal information to provide goods or services
to EU citizens and residents. Let’s take a closer look at the
regulation and why it’s getting so much attention.
• GDPR is a compliance mandate. It’s a law, and it’s not an option. If an organisation does
business in the EU, then it’s most probably subject to GDPR compliance. It doesn’t matter if
the company is based in EU member states or elsewhere. The deadline is 25th
May, 2018 and
fines for non-compliance can be up to 20 million Euros or up to 4% of the organisation’s
worldwide revenue, whichever is higher. The potential for large fines is in part why GDPR is
getting so much attention. It’s also possible that legal action could be taken against
organisations under this law.
• GDPR is “lengthy”. The full legislation is 261 pages long beginning with 173 “Whereas”
clauses (for context) and then followed by 99 “Articles of Law” (the rules) that begin on Page
108. The Articles are the real meat of the legislation, but it’s not easy reading: Here is an
excerpt from Article 2: “This Regulation shall be without prejudice to the application of
Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in
Articles 12 to 15 of that Directive.” It’s easy to see why many organisations will ask help
from trusted Consulting and Service Partners.
• GDPR is broader than cybersecurity. The name “General Data Protection Regulation” has
“data protection” directly in the centre of the acronym, which naturally lets you think about
cybersecurity. But it’s not just about protecting data from breaches or unauthorized access:
The law has a lot to do with governance over how an organisation uses that information as
well as the rights granted to individuals whose personal information is held by that
organisation. GDPR is heavy on privacy rights. It actually provides individuals with many
rights concerning how their data is used, shared, processed, and retained.
• GDPR requires Breach Notification. GDPR requires supervisory authority notification within
72 hours of discovering a data breach. Therefore, organisations subject to GDPR compliance
must have a well-established incident response plan that includes fast and accurate
outbound notification.

2. T: 0333 234 4288 W: www.networkiq.co.uk E: info@networkiq.co.uk
• GDPR is very high level. GDPR is written at a high level, and large portions of it involves
people- and process-related controls. The GDPR legislation calls these “organisational
controls.” Consider Article 35, Data Protection Impact Assessment, which says that before
any new types of processing can occur on personal data, the organisation must first
complete an assessment to determine whether this processing is likely to create a high risk
to the rights and freedoms of individuals’ data. It states that a Data Protection Officer should
be engaged to conduct an impact assessment and make a final risk determination.
• Due Diligence. GDPR requires “appropriate security” to protect personal information, but it
does not explain exactly how to achieve it. Therefore, organisations subject to GDPR
compliance must apply due diligence to determine what “appropriate security” means for
them under the spirit of this law.
• GDPR is technology agnostic. It is no simple task to map GDPR requirements to specific
cybersecurity products to this regulation, particularly since it mentions no specific
technologies or technical requirements. GDPR talks about the “what” and not the “how.”
That’s why many organisations are likely to seek supporting guidance from best practices
like the ISO 27000-series publications to help them achieve and prove compliance. It’s much
easier (though still a big task) to map specific technologies and services to these more-
specific publications because they are written more prescriptively than GDPR.
• GDPR is meant to be an enabler. On the surface, GDPR just sounds like a lot -- a lot -- of
compliance work. But it’s actually meant to streamline the many different laws currently on
the books in different EU member nations. In other words, instead of having to follow
dozens of rule frameworks, a different one for each EU member, GDPR is meant to eliminate
obstacles that prevent the free flow of data throughout the EU as a whole. Comply once
with GDPR, and you’re compliant throughout the entire EU.
A Word about Security and Privacy
As we stated above, GDPR is heavy on privacy rights. Of course, “Security” and “Privacy” often go
hand in hand, but there are differences between the two.
So, what are the differences between Security and Privacy?
Let’s use an example from GDPR Article 17 to illustrate: The “right to erasure” means that you, as an
individual doing business with a company, have the right to demand that all of your information is
permanently deleted from their systems. It’s a privacy right that’s related to security, but isn’t
exactly “Security” in the traditional sense of the word. Think about all of the personal information
you hand over to governments and organisations when you do business with them. Absolutely you
expect “Security” from these organisations so that your information is safe from hackers and data
breaches. But if you decide to close your customer account, will the company permanently purge
your data from their systems at your request? Under GDPR, organisations must comply. It’s GDPR
Article 17, Right to Erasure, that provides individuals with that Privacy right.