What Your Board Needs To Know About GDPR

Executives in businesses around the globe have been tracking The European Union's (EU) General Data Protection Regulation (GDPR), which goes into effect 25 May 2018. Those who operate primarily in the EU have had plenty of time to focus on this and no excuses for not paying attention. 
 
Those who operate primarily elsewhere also have no excuse to not be aware of the GDPR and should have already assessed how things should change because of these new rules. 
 
We have found, however, that many firms in the EU and the US and elsewhere are still not paying enough attention to these very serious rules. 
 
The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonise many different rules active across Europe and this should make overall compliance easier. 
But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data. 
 
Remember, the GDPR is not just about firms that operate in the EU. It applies to firms that have data on EU citizens. 
The GDPR requires that to collect info on EU citizens, the citizens must give their consent and the citizen also has the right to be forgotten. The data it applies to is broad, including even IP addresses.
 
At this point, just 20 days away from the compliance deadline, we recommend all firms do three things:
 
1. Read the rules yourself. They are not that hard to read and think about
 
2. Consult outside counsel. Pick a law firm you know and trust and ensure they have knowledge of the GDPR. Ask us if you need some recommendations.
 
3. Seek an external review of your technical architectures for compliance. Our firm, Crucial Point, is a good place to start here.
We recommend that Boards (including Audit Committees for those that have them) should evaluate their company's data retention activities and policies to see if they are in need of modification to comply. 
Boards should ask CEOs and the management team to assess where exposure to GDPR non-compliance is greatest and prioritise actions to fix. 
 
Boards should ask questions to determine if line of business leaders realise they are responsible for compliance vice just assuming this is an IT function. And boards should know who the Data Protection Officer (DPO) is for the firm.
 
Here is more on the GDPR:
 
• Fines for non-compliance are up to 4% of annual revenues.
• Customers must consent for processing of their data
• Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
• The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
• Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
• Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
• Data protections are expected to be designed into systems
• If there is a breach of personal information, the citizen will be notified and impact assessments done
• Transfer of data to other countries and organizations is regulated
• Companies are expected to maintain a state of the art cybersecurity architecture and posture
 
We can accelerate your compliance with GDPR and do so in a way that helps your security posture. 
 
CTO Vision
 
To contact the GDPR Advisory Board please click HERE:  
 
You mIght Also Read: 

The Pitfalls Of GDPR & Cyber Security For Micro Organisations:
 
Cybersecurity Advice For SMEs:
 
« A Guide To Preventing Charity Cybercrime
Meet Tess: The Mental Health Chatbot »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CDNetworks

CDNetworks

CDNetworks is a global content delivery network with a fully integrated cloud security solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content.

HireVergence

HireVergence

HireVergence is a full service IT staffing and recruiting firm with a focus on cyber and information security.

MailGuard

MailGuard

MailGuard delivers a full suite of security solutions across email and web to protect your business before threats reach your environment.

Compass Security

Compass Security

Compass Security is a specialist IT Security consultancy firm based in Switzerland. Services include pentesting, security assessments, digital forensics and security training.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

CRYPTTECH

CRYPTTECH

CRYPTTECH specializes in Information Security and Intelligence, Risk Evaluation and Vulnerability Recognition against Cyber-Attacks and APTs.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

Udacity

Udacity

Udacity's mission is to train the world’s workforce in the careers of the future. Our programs range from beginner to expert levels and deliver the hands-on skills for real-world expertise.

General Informatics

General Informatics

General Informatics is a team of technology enthusiasts with one mission: to make our clients even more successful through the best use of technology.

Coretelligent

Coretelligent

Coretelligent is a leading providers of Managed and Co-Managed IT, cybersecurity and private cloud services.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

Dig Security

Dig Security

Dig Security offers the first data detection and response (DDR) solution, providing real-time visibility, control and protection of your data assets across any cloud.

MS Tech Solutions

MS Tech Solutions

MS Tech Solutions is a Jamaican-based, multinational consulting company that specializes in the architecture, implementation and management of key network and Information technologies.