General Data Protection Regulation

5 Steps to prepare for the new EU Data Legislation

The clock is officially ticking for organisations to get their data protection policies in order, now that the final draft and approved text have been made available for the General Data Protection Regulation to replace the existing EU Data Protection Directive.

The new regulation will come into effect in 2017 and will require businesses to put a much stricter focus on data protection.

The headline items for organisations that collect or process EU citizen records are:

They must notify their supervisory authority of a data breach within 72 hours. The subject will have the right to retract consent, request data erasure or portability. They may face fines of up to 4% of their worldwide turnover, or €20 million for intentional or negligent violations.

These increased sanctions mean it is vital that the final legislative text be fully understood by a number of key stakeholders within the business, and that businesses start planning ahead as soon as possible.

To help them with that here are five key steps to help organisations perform a basic assessment of their current data protection strategy and any potential gaps that need filling.

Underpinning all of this is the fact, no matter how big a company is, that businesses have to begin thinking about their security in terms of when they will face an attempted data breach, rather than if. Only when businesses accept this will they be able to plan and execute successful security defences and policies.


1. Identity

The first task for any organisation must be to identify whether they are considered a data controller or processor. They must then review the relevant obligations these carry, (such as issuing notices and obtaining consent), and regularly review existing and new processes around PII. They can then discover where this data resides – whether it is at-rest, in-motion and/or in-use – have a record of processing activities and understand how this data is protected.



If an organisation suffers data loss then it is vital to detect the breach and identify if PII records were lost or stolen. If so, the business must notify the authorities within 72 hours of the discovery to initiate a full investigation. The investigation will focus on identifying the source and destination of the breach through information from Data Leakage Prevention (DLP) and Data Theft Prevention (DTP) tools. Data forensics will help to pinpoint the stolen data, so the business can issue notice to any affected data subjects.


5. Recovery

In the aftermath of a data breach, businesses must ensure they maintain ongoing communication with the relevant authorities. This ensures secondary loss factors are managed and keep affected data subjects regularly informed.


2. Protect

Once PII has been identified it must then be protected. Encryption and access control are common control standards, but managing encrypted data across multiple business processes is a hugely difficult task. Data sovereignty and lifecycle are key, alongside data flows to third parties, monitoring for data leakage from negligent or malicious employees and external data theft.


4. Response

Incident response is critical to protecting EU citizen data. In addition to the mandatory data breach notification requirement, organisations must also ensure they have implemented and tested an effective incident response plan.


Watch our exclusive webcast, in partnership with Forcepoint

With the approved text now available for the new General Data Protection Regulation (GDPR), organisations must be prepared for when the new regulation comes into effect in 2018. Forcepoint brings you top experts in privacy law and data protection to help explain this new regulation and the implications for all organisations that process EU citizens’ data.

The headline items for those organisations collecting or processing EU citizen records include:

  • Mandatory data breach notification within 72hrs to the supervisory authority
  • Right for data subject to retract consent, request data erasure or portability
  • Administrative fines up to 4% worldwide turnover or 20m Euro for intentional or negligent violations

Listen to Information Security & Strategy Officer, Neil Thacker and guest speakers, Hunton & Williams Senior Consultant Attorney, Rosemary Jay and Associate, James Henderson, for a presentation and Q&A.

Visit Forcepoint PageRequest a Demo

General Data Protection Regulation Webinar with Forcepoint

to Top