Anonymous Reporting
MCA Chatter
V-ID Terminal
My Account


Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019

Preparing for GDPR compliance

October 9th 2017
Where you need to be now and how to get there
Failure to comply with the EU General Data Protection Regulation (GDPR) leaves firms vulnerable to penalties, but many U.S. companies doing business in Europe are in danger of missing the deadline. Here’s how to catch up.

By Doug Drinkwater

In an industry steaming of buzzwords, GDPR ticks every box. Acronym? Check. Experts galore? Check. Filling marketing banner at trade shows? Definitely check. Behind the noise, hype, and misunderstanding is a substantial piece of legislation that will change how organizations operating in Europe approach data protection.

Set to come into full effect on May 25, 2018, GDPR marks a significant update on the existing 1995 EU directive (95/46/c). It also harmonizes data protection across 28 EU member states, replacing the need for national legislation. The headlines are naturally around data breach fines of up to €20 million (or 4 percent of gross annual turnover), as well as mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses, for example), and greater rights for people to access — or request deletion of — the information companies hold on them.

As such, GDPR transcends IT and spreads into areas like sales and marketing, but this complex legislation carries numerous misconceptions. For example, it’s often believed consent must always be explicit, that the 4 percent fine is for all data breaches (it isn’t), and that it’s mandatory to appoint a data protection officer (the DPO role is largely reserved for those processing “special categories of data”). The ambiguity over data processors and controllers — not aided by the controversial Google Spain court case of 2015 — has also caused headaches, especially around data stored in the cloud.

This confusion has had consequences: A recent study from WatchGuard revealed that one in three global organizations weren’t sure if they needed to comply with GDPR, while similar studies have indicated that numerous U.S. firms think the regulation wouldn’t affect them (it does if processing EU personal data). At a conference in July, one speaker revealed that four FTSE 100 companies had yet to start moving toward GDPR compliance — a sign perhaps that fear is stopping progress.

A common reality though is that GDPR isn’t really far removed from existing data protection regulations — it’s just that organizations weren’t overly prepared with them either. “The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation,” says Christian Toon, CISO at legal firm Pinsent Masons. “A lot of businesses are now holding back full implementation for compliance because it's hard to determine what compliance looks like, and are putting faith in a clear plan of action will be enough to deter the regulator.”

The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation. — Christian Toon
Jon Baines, DPO at Network Rail, agrees that GDPR isn’t such a departure from the past. “GDPR marks an evolution in data protection law, not a revolution,” he says. “Most of the core principles around fairness, transparency, purpose-limitation, data-minimization, and security are largely unchanged from those in the 1995 Directive.”

Yet Baines notes that GDPR does introduces some pivotal changes to “enable people better to control their personal data” while “introducing modernized and unified rules across the EU to enable a digital single market. So, data subjects are given rights to make it easier to access their own data, a right to data portability (to transfer their data between service providers), a clearer "right to be forgotten" (meaning that data must be deleted on request if there are no legitimate grounds for retaining it), plus a right to be informed if your personal data have been subject to a serious breach.”

“Businesses are now subject to general rules which apply across the EU consistently, and which require the adoption of a risk-based approach to the processing of personal data,” Baines adds. “Rules on accountability and transparency are strengthened, and they will have to embrace concepts such as ‘data protection by design and default.’ They will also face the potential of significantly increased fines for serious contraventions of the data protection law.”