The EU’s General Data Protection Regulation

Honestly now, how long have you been waiting to get your cybersecurity projects onto the Board’s agenda?  Months?  Years?  Forever?  How about your digital transformation project?  Are they all getting top billing and passionate executive support?  Not so much?  Well, have I got a Trojan Horse of a project for you!

The EU has produced a regulation, scheduled to go into full effect in May 2018, called GDPR, or General Data Protection Regulation.  And it’s a humdinger with 88 pages chalked-full of cyber security and information management best practice requirements aimed at EVERY organisation on the planet that collects and/or processes data related to EU citizens.  It seems somebody in the EU is a serious student of cybersecurity and the implications of current data analytics capabilities when it comes to privacy and the average citizen.  It is clear with every paragraph of this regulation that the authors clearly want:

  1. To establish the rights of individuals to control the data that is collected about them, however, wherever and whenever that data might be collected
  2. To hold organisations accountable for data leaks, data breaches and any other inappropriate disclosure of those same data sets


It’s pretty intense stuff. The EU is stating that non-compliance after May 25th, 2018 can lead to fines up to 4% of global revenue or $20,000,000 whichever is more. That’s enough to put most companies in the world out of business. Oh, and they reserve the right to go after companies who are not compliant even if they AREN’T resident in the EU. There will be a lot of companies globally that can just shrug that off. But others won’t feel so good about being banned from doing business in the 2nd largest economy in the world in the event that they get fined and decide not to pay up.


So what’s the good news in this story?  Go ahead, look again at the regulation.  (Here’s a hint, skip the first 173 paragraphs, which are numbered and go straight to Chapter 1, General Provisions, Article 1 and start there.)  There is precious little in there that information management professionals and cybersecurity professionals haven’t been banging on about doing for at least the last decade, if not more.  You have traditional infosec requirements, you have process re-engineering requirements, you have data classification requirements, data inventory requirements….  all of which are now on the board agenda courtesy of GDPR.



OK.  You’ve got this huge, hollow, wooden GDPR horse that the exec know has to get through and they are all set to open the budget gates.  So the real question is what do you put in that horse before you push the programme through approval?  Follow my series of blog posts on the 8 things to pack in your GDPR Trojan Horse before sending it through the approval gate here at