The Countdown to EU GDPR: Are Organizations Ready?

By Fouad Khalil

Posted on Dec 1, 2017

On May 4, 2016 after four years in the making, the European Union (EU) General Data Protection Regulation (GDPR) was published and an application date was set:  May 25, 2018.  

With Black Hat Europe this week and the GDPR deadline getting closer every day, many practitioners are discussing and analyzing the potential ramifications of GDPR on their organizations. While the regulation went into effect on May 24, 2016, this application date of May 25, 2018 provides a tangible reminder of the importance of developing and maintaining an effective cybersecurity posture.  

How GDPR differs from the Data Protection Directive

This new European legislation, General Data Protection Regulation (GDPR), will replace the long-standing Data Protection Directive 95/46/EC. In addition to from the regulation’s enforceability, it also:

  • Introduces stricter rules on how businesses process personal customer data.
  • Expands the scope and definition of what is considered personal information.  
  • Introduces hefty fines-- causing decision makers to re-evaluate measures to safely process personal data.

Key provisions Within GDPR

Per the regulation, “The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organizational measures are taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met.”

The regulation covers many areas. Some of the key provisions are as follows:

  • Increased fines that may be up to 4 percent of global turnover or 20 million Euros, whichever is greater.
  • Users must give clear consent to the use of their data.
  • There are specific breach notification requirements.
  • Controllers and processors are both liable for any data loss.
  • Data responsibility follows data out of the EU.
  • This law applies across the entire EU and impacts companies worldwide.

Who is subject to this regulation

Companies with more than 250 employees that process personal data for EU citizens will be subject to GDPR. Regulators and practitioners suggest that IT leaders involved with security management should focus on the following in their efforts to comply with GDPR:

  • Determine the organization’s role under GDPR;
  • Appoint a Data Protection Officer (DPO) to lead the task force to address GDPR compliance challenges;
  • Review personal data processing operations and evaluate cross-border data-flow compliance;
  • Establish and maintain an internal framework for accountability;
  • Institute a comprehensive central business registration and documentation of data processing activities; and
  • Seek legal advice in the pursuit of risk-based timely compliance decisions.

The definition of “personal data” under GDPR

Similar to many U.S.-based regulations designed to protect personally identifiable information, protected health information, credit card information, and other sensitive information, GDPR is expanding current rules and definitions to include all “personal data.” It defines personal data as any information relating to an identified or identifiable natural person ('data subject').

Personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs, and other online identifiers are all ”personal” and must be protected accordingly. 

The GDPR also introduces a new concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information. Pseudonymous data is still considered a type of personal data and so is subject to the requirements of the GDPR.

The complexity of data subject rights

GDPR introduces data subjects’ rights-- this makes compliance a bit more challenging for practitioners. While the core rules remain the same (compliance with all six principles), organizations now have to consider the stricter requirements on consent, additional protections around child consent, new data access rights such as the right to be forgotten and the right to data portability, and the requirement to inform data subjects on any profiling, such as online tracking and behavioral advertising.  


At SecurityScorecard, we’ve defined a few key points to remember as the May deadline approaches:

  • Ignoring or delaying GDPR compliance could have costly repercussions.
  • GDPR has many obligations, but many of them can be resolved quickly and easily.
  • Organizations could face significant budgetary, IT, personnel, governance, and communications implications.
  • Senior management buy-in is critical, and a lack of involvement at the management level could result in failures in compliance.
  • It’s essential to know what, where, and how data is processed.
  • Educating the masses is a pivotal cornerstone to an effective cybersecurity posture.
  • Organizations should be ready to report a breach; the stringent notification requirements require 72-hour notification under most circumstances.

The SecurityScorecard platform can help practitioners achieve continuous compliance with standards and regulations, like GDPR. The cyber security platform monitors vulnerabilities for companies and their vendors in key risk areas, highlighting opportunities for organizations to improve their cybersecurity posture and to ensure an effective compliance posture. Savvy organizations understand that enterprise security is only as strong as the third-party security that forms its foundation. GDPR compliance will be achieved through a continuous collaborative dialogue throughout their vendor ecosystem. Feel free to visit Booth #301 at Black Hat for more information.

Key definitions in GDPR

  • Data Controller (Organization) means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • Data Subject (Individual) means an identifiable natural person “who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, or an online identifier.”
  • Processor (Service provider) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Supervisory authority (GDPR enforcer) means an independent public authority which is established by member state pursuant to Article 51. The supervisory authority is the governmental organization in each member state that will be responsible for enforcement of the GDPR.
  • Personal data means any information relating to an identified or identifiable natural person (data subject). The regulation also states this also includes online identifiers such as IP addresses and cookies.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!