New regulations laid out in the General Data Protection Regulation (GDPR) will drastically impact the role of cybersecurity for European companies. The scope of the pioneering cyber protection legislation will also affect all international corporations that do business within EU borders.
The law features several components aimed at preventing companies from mining personal data from their customers. Maintaining a large data warehouse of personal information is a big liability, as seen by the recent OPM and Ashley Madison hacks. The regulation now requires companies to manage customer information by creating lifecycle policies that periodically erase old client information. It also reinforces the right to erasure, which holds clients have the ability to request their information be deleted at any point from a company’s data base.
Under this law, companies with over 250 employees must appoint a data protection officer who is responsible for reporting cyber breaches to a regional data commissioner. The creation of data officers and a data commissioner is designed to establish an infrastructure to adequately contain and report data breaches in a timely manner. The GDPR mandates data breaches be reported within 72 hours of when the breach was first discovered.