I
M
A
G
E
B
Y
P
A
O
P
A
N
O
regulated, while individuals’ rights to manage their
data have been enhanced.
And the new sanctions
regime has given regulators real teeth, with the
ability to levy fines up to
the greater of € 20 million
or 4% of total worldwide
annual turnover.
Shortly before the
GDPR took effect, the
deadline for EU member
A New Culture
of Compliance?
The GDPR has pushed data
privacy compliance up the
corporate agenda for the
long term. Organizations
must understand and document the personal data
they use in far greater detail
than before. Shortly before
the compliance deadline,
the International Association of Privacy Professionals and Ernst and Young
estimated that large British
firms had spent $1.1 billion
on GDPR preparations,
while U.S.-based companies had invested $7.8
billion.
According to research
into GDPR readiness costs
among FTSE100 companies
carried out by management
states to implement the
Network and Information
Security Directive (NISD)
passed much more qui-
etly. Often viewed as the
GDPR’s ‘younger sibling,’
the NISD has proven a
less eye-catching piece of
legislation although it too
threatens hefty penalties
for breach.
Whereas the GDPR
focuses on protecting individuals’ rights to privacy,
the NISD originates in national security concerns. It
aims to raise levels of cyber
security in specific sectors
that represent ‘critical
national infrastructure,’
such as energy, transport,
health and water, as well as
among suppliers of essential digital services.
THIS HAS BEEN a momentous year for data protection and information security regulation in Europe, with two
landmark pieces of legislation taking effect. Together
they represent a major shift
in the European industry’s
approach to privacy and
security compliance.
The long-awaited
General Data Protection
Regulation (GDPR) came
into force in the European
Union (EU) on May 25,
2018, attracting a huge
amount of attention and
prompting a flurry of email
messages to customers on
historic marketing lists.
Now organizations that
process personal data are
regulated not only if they
are established in the EU,
but if they target goods
or services at, or monitor
the behavior of, individuals in the EU—regardless
of where they are located.
Service providers that
process personal data for
others become directly
Many view Europe’s approach to
data privacy and cyber security
as setting a global gold standard.
New European Data Privacy
and Cyber Security Laws—
One Year Later
BY LAURENCE KALMAN
GDPR | DOI: 10.1145/3310326