"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy... " - eugdpr.org

Major Provisions

• Data subject rights
• Data breach notification
• Safe handling and transfer of data
• Data Protection Officers (DPOs)
• Applicability and Penalty

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data.

GDPR covers personal data

GDPR further defines this as follows:

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Any information" - cookies, images, names, email addresses, employee numbers, location, occupation, gender, account records, etc. This is generally considered to be literal... any information relating to a data subject.

Proper collection for purpose, processing of personal data. GDPR states that data collected must be relevant for our intended purpose and that it needs to be collected for specified, explicit, and legitimate purposes.

Conditions for consent require notification to data subjects using concise, transparent, intelligible and easily accessible language. GDPR also gives EU citizens the right to withdraw their consent at any time.

GDPR also gives data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the "right to portability"), and they may direct a controller to erase their personal data under certain circumstances (also called the "right to erasure").

Notification to EU citizens upon data collection or acquisition. Notification must be provided with a reasonable period after obtaining the data not exceeding on month. The notification must include:

• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?
• How to withdraw consent, correct data, or request restriction of use.
• The identity and contact details of SANS Data Protector Officer (SANS DPO).

GDPR describes the requirements for the communication of a data breach involving EU citizen personal data.

• Controllers shall notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals.
• When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall communicate the breach to the subject without undo delay.

GDPR addresses the need for the controller to , while taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

It also addresses secure storage of data, ongoing security, integrity and availability of data and the ability to restore availability within a timely manner. It also calls for regular testing and evaluation of effectiveness of technical and organizational measures ensuring the security of the data.

And, it requires that companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

The GDPR requires that certain companies appoint data protection officers; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs).

It outlines the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

The DPO shall:

• carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
• have an expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
• inform and advise the processor and the employees who carry out processing of their obligations, monitor compliance with EU GDPR, provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
• act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

GDPR extends requirements to international companies that collect or process EU citizens' personal data, subjecting them to the same requirements and penalties as EU-based companies.

It also outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company's global annual revenue depending on the nature of the violation.

• GDPR comes into full effect May 25, 2018
• Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.

EU GDPR categorizes data holders into two groups: processors and controllers.

• Controllers collect, process, store, and basically "own" the data and the relationship with EU citizens.
• Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.
• There are additional required measures, processes, and documentation requirements for controllers
• SANS, including SANS Security Awareness, are considered controllers.

• Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the EU to US.
• The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. In general the EU does not list the US as one of the countries that meets this requirement.
• Privacy Shield is designed to create an program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information.

In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet the international data transfer requirements of the GDPR.