Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Data Privacy, GRC

What is GDPR? | SureCloud

What is GDPR? | SureCloud
Written by

Richard Hibbert

Published on

30 Oct 2018

What is GDPR?


Richard Hibbert, CEO of SureCloud, explains what GDPR is, what it covers and how organizations can achieve and maintain compliance

Many U.S. based organizations that operate in Europe might not be thinking about how they will comply with the EU General Data Protection Regulation (GDPR), but they should as it comes into force in May 2018.

The GDPR covers organizations that are located inside and outside the EU, applying to any business with operations, customers, suppliers or partners within the EU. The GDPR seeks to protect the rights and freedoms relating to the processing of personal data of EU citizens – so if a company wants to sell to or interact with those citizens, the GDPR applies to them.

Unlike its predecessor (the EU Data Protection Directive) the EU GDPR has teeth; it has the ability to fine organizations if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 72 hours. The fine can be up to €20m, or 4% of a firm’s annual turnover, whichever is greatest and at the discretion of the body enforcing the GDPR. However, a more significant concern is the reputational damage an organization would suffer in the event of a significant incident, which could see customers flee in droves, especially for businesses that process personal data as part of their business offering.

In short, this is an issue that businesses need to sit up and take notice of. Now is the time to understand what liabilities and responsibilities organizations will have under the GDPR, how they can be enforced, and crucially, how businesses can prove that they are compliant with them.

What does the GDPR cover?

The GDPR governs the ‘processing’ of ‘personal’ data, and enforces a broad range of data processing related requirements.

Note ‘processing data’ is a broad term covering all operations performed on personal data including collecting, accessing, recording, storing, organizing, altering, retrieving, using, transmitting, combining, blocking or erasing. Also, the simple act of viewing data constitutes processing.

There are several broad general principles that apply to the processing of personal data. Personal data:

  • must be processed fairly and lawfully (‘lawfulness, fairness and transparency’);
  • must be processed only for specified, explicit and legitimate purpose(s) that are notified to the data subjects (‘purpose limitation’);
  • are adequate, relevant and limited to what is necessary (‘data minimization’);
  • must be kept accurate and up-to-date (‘accuracy’);
  • must be retained only for as long as is necessary (‘storage limitation’); and
  • data must be protected by appropriate technical and organizational security measures (‘integrity and confidentiality’).

Organizations processing personal data (controllers) are responsible for, and must be able to demonstrate compliance with the above principles (‘accountability’).

Lawful processing requires that before processing personal data the controller must first get affirmative ‘consent’ from the data subject. They also need to ensure their processing activities clear and transparent to the data subject – this can be achieved through mechanisms such as privacy statements.

It follows that to comply with these principles organizations will need to maintain detailed records of all processing activities. The next article will describe the challenges associated with maintaining such records, including compliance with regulatory obligations around exporting personal data outside the European Union.