Thanks to everyone who attended by talk at Showmecon 2018 (“The Sky Isn’t Falling, But the Earth May Be Shifting: How GDPR Could Change the Face of Infosec”). Slides and Irongeek‘s recording of the talk appear below.
- The GDPR can apply to US companies (and other companies outside the European Union) if:
- The US company markets products or services to EU customers,
- The US company monitors what EU residents do while those residents are inside the EU, or
- The US company does business with another company subject to GDPR.
- The regulation’s restrictions on the collection and use of personal data are top-down, and flow from the initial lawful justification of that collection and use. Your justification for a particular type of processing has a significant impact on your compliance burden with respect to that type of processing.
- One of the most important aspects of the lawfulness aspect of the regulation is its definition of consent. Specifically, consent must be affirmative (not passive), and consent must not be a condition for the provision of a service (even a free one).
- The regulation also contains very broad provisions requiring data processing systems to be adequately secured. In stark contrast to, for example, the PCI Data Security Standard, GDPR gives very little specific guidance on what a company’s security program must cover or what controls must be used. Instead, controls must merely be adequate, appropriate and proportionate.
- Among the most important topics to monitor in the news are the outcome of the NOYB.eu litigation, enforcement of the regulation’s security requirements, the scope of a controller’s legitimate interests, and the enforcement of the regulation against companies outside the European Union (especially those without customers in the EU).