EU's General Data Protection Regulation

SANS Institute Publishes White Paper by Benjamin Wright


Executive Summary

Adoption of the new General Data Protection Regulation (GDPR) is motivating organizations worldwide to improve existing technical controls for securing personal information. Organizations should be especially aware that the GDPR and other recent legal developments amplify the negative repercussions of a data security breach -- meaning organizations have increased incentives to avoid a breach.

Data security law in Europe continues to evolve. Enactment of the GDPR, which takes effect May 25, 2018, will impose formal, new data security requirements on organizations within the European Union, affecting many companies.

In parallel, in October 2016, France adopted the Digital Republic Bill. It dramatically increases fines on those organizations that fall short on security. For larger, multinational organizations, these types of new security regulations reflect three major trends:


  • Greater potential monetary penalties imposed by regulators
  • More rules for disclosure of data breaches
  • Increased exposure to diverse proceedings and investigations into whether data security is adequate

As a consequence, larger organizations should begin immediately to redouble the implementation of information security controls and technologies, which includes automated IT security monitoring, testing and measuring.

This paper provides recommendations and a checklist for technical compliance with the GDPR. These recommendations are equally imperative for avoiding a painful data security breach. Included are several case studies showing how companies can effectively use advanced technology for regulatory compliance and reduced breach risk.

Read the full paper titled Preparing for Compliance with the General Data Protection Regulation (GDPR): A Technology Guide for Security Practitioners.