Where calls to “get ready for GDPR” permeated last year’s InfoSecurity Europe conference in London, keynote speakers at this year’s event—conducted just 10 days after the European Union’s regulatory enforcement deadline—put a stronger spotlight on GDPR compliance and sunk more serious messaging teeth into their talks.Author: ISACA's Laurel Nelson-RoweNowhere was this more evident than during the event’s “EU’s GDPR Is Here– Now What?” panel, where two enterprise privacy and security officers, a Microsoft cyber senior executive and a UK GDPR policy lead weighed the realities and rigor of the new regulatory environment.Vivienne Artz, chief privacy officer for Thompson Reuters, said the organization has “put its house in order. Privacy, privacy and security by design are the new normal.”
Critical to Thompson Reuters progress, according to Artz, was senior management buy-in. GDPR support and change “must be a top-down exercise. Privacy cannot be delegated to a department. It is each individual who is now personally responsible,” she noted.GDPR’s requirement that organizations report security breaches within a 72-hour period reinforces the individual employee awareness and activation, especially of documented, regularly practiced breach notification policies, according to Artz.“If you don’t have a breach notification policy, you’re fried,” Artz declared.Artz and Trainline security director Mieke Kooij emphasized understanding the regulation’s fine details, and working collaboratively, and very actively, across IT, audit, assurance and legal. For instance, “there are new things defined as ‘breach,’” and org-wide awareness is essential to avoid complaints and penalties, said Kooij.
The enterprise leaders emphasized their need for more automated services and tools to support regulatory requirements, such as data sourcing, mapping, data types and data access—a theme echoed by Johnnie Konstantas, Microsoft Enterprise Cybersecurity Group senior director. She said Microsoft, and most other technology and cloud service vendors, are deploying such capabilities given that GDPR lays additional burdens on the always accelerating pace of change in “applications, services and data … and of the supply chain. All of it as a very dynamic environment.”And while not asserting the Information Commissioner’s Office (ICO) will “fry” non-compliant enterprises, technology policy head Nigel Houlden said “It’s fair to say there are some panicking” given GDPR’s requirements and impact across EU-based organizations and all entities that do business or have customers in the region.“If an organization is willful, disregardant and neglectful of GDPR, you will be investigated. You will feel the force of … the authority of enforcement,” Houlden said. “We will not ignore anything, even the smallest complaint, if there is harm done.”So, while leading up to the GDPR enforcement deadline, an ISACA survey asked participants about their GDPR readiness, maybe now the question should be along the lines of whether you are GDPR
Compliant
Neglectful
Panicked
Fried
Exhausted
or all of the above?
Editor’s note:For more GDPR resources from ISACA, visit www.isaca.org/gdpr.
Laurel Nelson-Rowe is director of strategic communications at ISACA. Read more ISACA blogs here.
Newly appointed U.S. Director of National Intelligence Tulsi Gabbard has been urged by Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., to oppose the UK's reported order for Apple to develop a backdoor that would enable government access to encrypted iCloud data, which they argued to be detrimental to U.S. government and citizen data security, according to The Register.
SecurityWeek reports that open-source database management system PostgreSQL has been impacted by a new zero-day flaw, tracked as CVE-2025-1094, which has been leveraged as part of the attacks against vulnerable BeyondTrust Remote Support systems that impacted the U.S. Treasury Department.
Operations of the Virginia Attorney General's office were reported by the Richmond Times-Dispatch to have been significantly impacted by a cyberattack this week, which took down most of its computer systems, according to The Associated Press.
