Under the EU GDPR (General Data Protection Regulation) adopted on 27th April 2016 (enforceable 25th May 2018) organisations handling EU citizen data can now be expected to be fined for non-compliance, up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. They must also only maintain data if necessary, and identify all affected individuals within 48 hours in the event of a breach. The UK ICO (Information Commissioners Office) is now also seeking to align UK legislation and penalties against the regulation, and is substantially increasing its work force to address this.
The other day I was discussing the various aspects of the General Data Protection regulation with one of my consultants and the focus diverted to NPS.
I was reading the 260 page EU Legislative Directive again, sad I know! and at the end, thought I would share with you what was stated:
1. Do I know who is responsible for cyber risks in the company? Have I met them and am I confident there is sufficient segregation between them and those making decisions about the technological direction of the company?