The new EU GDPR is one of the most substantial security initiatives in many years. This is on the one hand due to the scope of the regulatory work in the EU has been comprehensive and a long time coming. On the other hand, this is also due to the consequences of the EU GDPR having important implications for both the private and public sectors in Europe.
The EU GDPR identifies many things. One common denominator and the overall conceptual framework behind the EU GDPR is that it is considered an exercise in confidence. An exercise in confidence entails the registered party ”borrowing” his sensitive data to the data controller, and then the data controller acknowledges that confidence by taking care of the data, and by always being able to explain - in a meaningful and understandable manner - the purpose to which the information is to be used. This last part has not always been standard practice in the past.
Some things are well known in the new EU legal text. Others are completely new. In summary, it can be said that the EU GDPR contains many requirements on how businesses shall process and protect personal information, and which processes the businesses will apply. The many requirements set out in the regulation will branch out into the individual organisations and call for new forms of co-operation between legal, IT, the individual departments and the management.
A correct implementation first and foremost requires the correct administrative understanding and priority of the task. It involves among other things setting the requirements in your own organisation’s handling of sensitive information. It also involves setting out requirements on the organisation’s suppliers and on the systems they use for data processing. For many, the task of keeping the sensitive information they handle safe, is nothing new. What is new is that the EU GDPR sets a requirement that you must be able to describe how keeping data safe is intended before you go about doing it. Then, it must be possible to show on-going compliance with your own policies, procedures and guidelines.