GDPR, the General Data Protection Regulation, invokes mixed feelings in everyone that hear of it. It represents a large change in how European citizen and resident data is handled, both by data controllers and processors.
So, it made sense to limber up our tweeting thumbs, break out the #AlienChat hashtag and seek the opinion of the twitterati.
But this wasn’t something we could do ourselves, so drafted in special guests Quentyn Taylor, Director of information security, Canon EMEA, and data protection and privacy expert Rowenna Fielding of Protecture.
We didn’t waste time in trying to understand the challenges and main concerns of participants.
Rowenna discussed the fact that organisations treat GDPR as compliance, or legal for IT is a challenge and one that will likely cause them issues. A sentiment that was echoed by Sarah Clarke who added that companies tend to not factor in issues like contracts & due diligence.
Carl “The GDPR guy” Gottlieb also weighed in around the lack of clarity on ePrivacy regulation.
72 hours to comply
The 72 hour breach notification rule seems to be a hot topic for many organisations. Rowenna clarified that the breach notification was applicable only where there is an impact to individuals rights or freedoms. The scope of which extends far beyond financial data.
But as Kate Brew pointed out, in many large organisations, it can take 72 hours just to schedule a meeting.
Dead or alive?
The scope of GDPR is still a bit uncertain for some; so we sought to determine in what context does GDPR apply. Apparently, the dead are except from it, so funeral directors losing a list of the deceased would be except.
It is also worth bearing in mind the fact that GDPR applies to EU citizen and residents. No matter where the controller or processor is based.
Steps to prepare for GDPR
There isn’t much time left to implement GDPR. So we asked the expert participants what are some steps companies can or should be taking to prepare for GDPR.
But I’m already compliant
If a company is already compliant to an existing security standard such as PCI or ISO27001, the question remains as to whether they would need to do anything additional for GDPR.
Quentyn and Rowenna were in full agreement with their responses.
We thoroughly enjoyed our tweetchat, it was engaging, lively, and full of wisdom. We’d like to extend our thanks to all the participants that contributed their knowledge and added to the discussion.