I have had many conversations around the negative implications of GDPR the “Stick”, but what about the positive implications the “Carrot”.
Under the EU GDPR (General Data Protection Regulation) adopted on 27th April 2016 (enforceable 25th May 2018) organisations handling EU citizen data can now be expected to be fined for non-compliance, up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. They must also only maintain data if necessary, and identify all affected individuals within 48 hours in the event of a breach. The UK ICO (Information Commissioners Office) is now also seeking to align UK legislation and penalties against the regulation, and is substantially increasing its work force to address this.
The other day I was discussing the various aspects of the General Data Protection regulation with one of my consultants and the focus diverted to NPS.
1. Do I know who is responsible for cyber risks in the company? Have I met them and am I confident there is sufficient segregation between them and those making decisions about the technological direction of the company?