GDPR Security and Privacy Need-to-Knows

GDPR is influencing cybersecurity best practices both in Europe and worldwide. The director of privacy and security at HIMSS, Lee Kim, JD, CISSP, CIPP/US, FHIMSS, offers a deep dive into the topic to offer clarity on how its wide-reaching impact is driving transformative workflow changes for organizations worldwide.

What is GDPR and how is it affecting the world’s security and privacy posture?

General Data Protection Regulation, or GDPR, applies to the processing of personal data of data subjects (natural persons) who are based in the European Union (EU). The controller, for purposes of GDPR, dictates the manner and means of processing of personal data, whereas the processor carries out the processing instructions from the controller.

A controller may be a natural person (a human being) or legal person (such as a company or association), public authority, agency or other body which—alone or jointly with others—determines the purposes and means of the processing of personal data. A processor may be a natural or legal person, public authority, agency or other body. However, it is important to know that the GDPR applies to organizations not based in the EU that target individuals in the EU, either by offering goods or services to them or by monitoring their behavior.

The regulation seeks to both harness and govern the exchange of personal data. Responsible use, disclosure and transparency of personal data is essential. The implementation of GDPR has prompted organizations worldwide to take a closer look at how customer and/or client data is handled and governed within the organization. Organizations must now deeply understand how personal data is managed and transacted internally, and across other organizations.

Watch Ron Roozendaal, chief information officer at the Dutch Ministry of Health, Welfare and Sport, talk with HIMSS TV about how GDPR gives patients a deeper stake in their own data.

Does GDPR apply to my organization, even if it is not in the EU?

Yes. It may apply to you if you handle personal data of data subjects who are based in the EU—regardless of whether the processing of data occurs in the EU or not.

Under the GDPR, there must be a lawful basis for processing the personal data of the data in accordance with Article 6 of the GDPR.

How is GDPR influencing security and privacy strategies around the world?

GDPR compliance efforts involve an alignment of policies and procedures across the entity, clear lines of communication and organization-wide support for compliance.

Three Key Takeaways

1. There is no quick and easy solution to becoming compliant.
It is a rigorous process and you need to inventory your data, and map and track your data flow. Your organization must proactively develop a systemic plan for achieving robust security and privacy protection of personal data. It is an organization-wide effort to become compliant.

2. Follow your organization’s policies and procedures and update as needed to align with GDPR.
Seek the advice of qualified counsel and/or a consultant to assist your organization in complying with GDPR.

3. Take GDPR seriously.
Fines for non-compliance can be quite significant.

The positive impact is that regulations are leading the way for strong data protection programs worldwide. Many countries are studying the regulation’s impact and evaluating whether to implement their own GDPR-like laws and regulations, further emphasizing that data protection must be a shared responsibility with public and private sectors.

These changes are an important reminder of data’s growing value as a business asset. Like all valuable assets, taking steps to secure that asset could be monumental for your company’s future.

Originally published August 26, 2019; updated September 1, 2021