Most privacy professionals thought it may take months, if not years, for US privacy laws to catch up to the EU but it looks like California decided to push up the timeline. Last month, the California Consumer Privacy Act of 2018 was passed by California legislature, expanding the definition of personal data and including more rights for California residents. The act includes a new scope to accompany the new requirements, applying to businesses meeting one or more specified criterion, whether they are located in the state of California or elsewhere. The IAPP has estimated that the new act will impact more than 500,000 businesses across the United States. You can read more about the study to determine the number of impacted businesses here.
GDPR was the star of the show for the 2018 IAPP Global Privacy Summit. No surprise there. What was surprising was the range of content and speakers that were there. There were multiple data protection commissioners in the building, including Isabelle Falque-Pierrotin from France and Helen Dixon from Ireland, as well as the newly elected chair of the Article 29 Working Party, Andrea Jelinek from Austria. There were some sessions on understanding the basics of the GDPR, sessions on preparing your organization for the upcoming deadline, as well as some sessions speaking to the different consulting and attestation options available to help meet the Regulation. Everywhere you looked it was GDPR and this overwhelming feeling of “The End is Nigh!” There were even shirts given out at the Convention Center that substituted “GDPR” for “Winter” in the popular “Winter is Coming” line from HBO’s series Game of Thrones.
Here’s the big question: Is the General Data Protection Regulation (GDPR) a revolutionary regulation that introduces new concepts of security and privacy? The answer — yes and no. The GDPR does introduce new requirements that are specific to the European Union, but it does so while encapsulating them in a somewhat familiar structure. Although some of the requirements get into specifics with data subjects or specific processes, a number of them have an underlying security and privacy framework that can easily be distinguished.
With the General Data Protection Regulation (GDPR) becoming effective May 25, 2018, organizations (or rather, organisations) seem to be stressing a bit. Most we speak with are asking, “where do we even start?” or “what is included as personal data under the GDPR?” It is safe to say that these are exactly the questions organizations should be asking, but to know where to start, organizations first need to understand how the GDPR applies to their organization within this new definition for personal data. Without first understanding what to look for, an organization cannot begin to perform data discovery and data mapping exercises, review data management practices and prepare the organization for compliance with the GDPR.
You most likely selected the link to this blog to discover one of two things: 1) how to effectively manage vendor requirements via SOC reports or 2) what the SOC 1/SOC 2 examination requirements are for vendor management. I don’t want to disappoint, so this article will provide you with some knowledge or at least some validation of your current thoughts on the matter.