In three months, the General Data Protection Regulation goes into effect.

I know what you’re thinking…not another bloody acronym!

This one comes to us from across the pond, courtesy of the European Union.  “Who cares?” you may say, safely occupying your CIO office here in the good ol’ USA. 

“Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”

If you’re a multi-national company headquartered in the US but doing business with the EU, you must comply with GDPR.  Quite frankly, multi-nationals probably weren’t surprised by this turn of events, and it won’t be a big leap of faith to comply with the act.

 However, it won’t be easy for them, and if it isn’t easy for conglomerates, it could be a nightmare for small business, and small business senior IT management.  Further explanations are available at

Here’s the age old question that applies to all the alphabet soup of data privacy:  What constitutes personal data?  According to the new GDPR regs it is:

“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Broad enough? If you sell candles from your basement to a little old lady in England (until Brexit) you need to comply.  Get email addresses from customers in Germany?  Treating a Swedish national on vacation here in the US and need his medical records?  You better get up to speed on GDPR, and in the latter example, what, if any conflicts it poses with the US HIPAA regulations.

Again, if you are in compliance with any number of US data privacy regs, then you are probably pretty close to being in compliance with GDPR.  The main focus of the new regs are standardization of privacy compliance across the EU, stricter breach controls and notification, and stricter onus on companies to comply with opt-out choices of their customers.

Fines are substantial; up to 20 million euros.

So, as a CIO, even for a mid-size US operation with little international presence, how do you prepare?

Get a lawyer.  Understand the new regulations in a legal context.  Then do a security audit of your data processing, hosting (if any) and storage areas and determine strategy.  I can’t help but think that at least some of the impetus behind GDPR was the ubiquity of the Cloud, and the desire for EU regulators to nail down where data was being processed and stored.  If you are using the Cloud then GDPR extends not only to you, but to your Cloud provider; so you need to have those discussions.  I suspect the Googles, Amazons, and Microsofts of the world are ready to go, but you need to get those assurances in writing and as part of your existing SLAs.

This isn’t the end of the compliance, privacy, and security conversations when it comes to international business.  The Chinese, I suspect, hold a lot of EU data.  As GDPR forces companies in less-than-compliant countries to adapt or die commercially, as it were, those same countries will, in my opinion, start to develop their own sweeping and institutional compliance regulations.  Overall that development will be welcomed by the US.

It will not, however, make your job as CIO any easier.  Here’s a list of what you’re already on the hook for enforcing in the US.

It’s a lot for a CIO to handle, which is why the CISO role needs to morph into a security/compliance role, and maybe the position needs a Juris Doctor as part of the credentials as well.  Large or small, heed my advice and get legal counsel when attempting to craft your security and compliance policies.

And, it won’t be just data processing and hosting.  How will the Internet of Things affect security and compliance?

Just for the record, I’ve never trusted my toaster oven.