How is the GDPR affecting cyber risk management?

The General Data Protection Regulation (GDPR) is a European Union set of data privacy laws that went into effect on May 25, 2018. It demands that companies protect personal data and enforce the privacy rights of anyone on EU State’s territory. Sounds simple? It’s not! The GDPR is exhaustive in its breadth and active in its enforcement, meaning that companies need to put in real efforts to adhere to the GDPR requirements.

The GDPR applies to any institution that processes the personal data of EU citizens. “Processing” is a phrase that encompasses almost everything you can do with data: data collection, storage, transmission, analysis, and so on. “Personal data” refers to any information about a user, such as a name, email address, IP address, eye color, political affiliation, etc. Even if a company has no direct ties to the EU, it must comply if it processes the personal data of EU citizens (via tracking on its website, for example). The GDPR applies to both for-profit and non-profit businesses.

Since most data is stored online, on the cloud or on network databases, the GDPR and cybersecurity are intertwined by their shared goals and challenges of keeping that data protected. Laxity in information security controls can lead to data breaches and a direct transgression of GDPR laws. GDPR cybersecurity requirements demand that companies implement effective cyber controls to uphold their 7 Data Protection Principles:

Obtaining consent
Timely breach notification
Right to data access
Right to be forgotten
Data portability
Privacy by design
Potential data protection officers

In order to fulfill these, companies must build carefully thought-out information security systems, allowing for appropriate levels of availability, authorized access, safe transfer capabilities, data integrity, as well as the capacity for responsible deletion of data.

Cybersecurity risk management as a whole must expand its scope to cover the requirements and consequences regarding the GDPR.