0 Results Found
              Back To Results
                Videos

                What Proof of Compliance will GDPR Regulators be Looking for?

                Have you done all the right things to fulfill GDPR requirements?

                GDPR stands for General Data Protection Regulation, the most comprehensive overhaul of European data protection rules in over twenty years.

                As of May 25th, 2018, non-compliant organisations face fines of up to 4% of their global annual revenue if they are unable to demonstrate they are GDPR compliant in the event of a breach to EU citizen privacy data. In this video, Hadi Hosn, Head of Security Strategy and GRC Consulting EMEA, shares some of the key things regulators will be looking for from organisations they audit or suffering a breach to their data.

                Transcript:

                So the proof that regulators are looking for to ensure organisations are doing the right thing, it really depends on how the regulators engage with the organisation. It could be either that they would proactively come in to the organisation to assess them and make sure they're in line with GDPR requirements, or reactively, they've come in based on a breach that the organisation has had to personal data. The regulator is looking for proof that the organisations board is aware of GDPR and is aware of the personal data risks. They need to ensure that the organisation has assessed the scope of GDPR within that organisation.

                The regulator also needs to prove that the organisation has carried out an exercise to know what personal data they have, where it's going and what kind of entities and parties are accessing that data. Whether its internal teams, or it's third parties and vendors that are partnering with that organisation. And then it's about that controls that the organisation has implemented. Whether it's inscription or masking or monitoring, detection and response controls. And this depends on the risk profile the organisation has accepted.

                So whether it's monitoring detection and response controls that organisations have implemented. GDPR is a risk-based framework. It's a risk based regulatory framework and the organisations have the ability to chose the right controls for the risk profile, as long as they can justify those controls to the regulator, when they come knocking on their door.

                Related Content