The data protection and security landscape is all set for change next year with the new EU General Data Protection Regulation (“GDPR”).  There will be regulatory burdens, but you can also use GDPR  to bring some focus on what you do and improve your security stance. If you’re serious about security, GDPR can help. Remember…
We’ve been working on GDPR projects since the first draft came out in 2012. GDPR is a long document but here’s some highlights:
Security breach reporting
One of the most important changes is that there will be mandatory security breach  reporting (subject to some ifs and buts).
Breaches must usually be reported to a regulator within 72 hours and those affected by the breach must usually also be informed – to do this you must have clear, practical, effective and immediate procedures. You’ll also need to get your vendors and suppliers on board – this is business critical so you can’t afford to get it wrong. Encryption could mean you don’t need to do as much however so this could be the time to get budget to improve your processes.
New rights?
New rights are being introduced and existing ones tweaked, including.
SARs could be used like DDOS attacks so make sure you have a process and are ready to respond.
Data Protection Impact Assessments (“DPIAs”)
DPIAs will have to be undertaken for some data processing operations. DPIAs put the compliance assessment burden on those handling personal data – but, used as a wider tool they help you get a better handle on your data processes and reduce risk. This should help you build privacy and  security into the heart of what you do. There’s no set format – the key thing is to pick a process that is simple to understand and helps you get to the real risks quickly.
Greater penalties
Increased enforcement will come about with the new regime, backed up by greater sanctions.
There are fines of up to €20 million or 4% of the global annual revenue of a business (whichever is the greater), with likely higher reputational damage resulting and the possibility of civil actions too. In some cases the new UK legislation can also lead to criminal penalties as well. This is the big stick for data protection compliance, but, getting it right will avoid major headaches.
What you need to do now?
Start preparing now and read our FAQs at or watch our film on YouTube at You might also be interested in our GDPR Navigator subscription service which includes films, checklists articles and a monthly call to help plan for GDPR. The details of this service are at
By Jonathan Armstrong
GDPR will also be part of the discussion in this year’s Security Serious virtual webinars. The full summit line-up includes setting the scene for the skills gap, chaired by Warwick Ashford, security editor of Computer Weekly; incentives that make the UK an ideal cyber security hub, chaired by Sarb Sembhi of Virtually Informed; artificial intelligence, chaired by Pete Warren from Future Intelligence; creative employment, chaired by Vicki Gavin, CISO of the Economist Group and neuro diversity, chaired by Brian Higgins from (ISC)².
You can find more information, including how to register here: .
The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance