European Union data protection law requires organisations to take adequate measures to ensure the security of personal data. This obligation must be met regardless of the means used to process the personal data. The security obligation covers not only enterprise information systems, but also cloud services used to process the personal data. Data breach notification obligations, steep fines up to 5% of the company’s annual turnover and increased public scrutiny of how organisations use and protect personal data require that they pay close attention to the security of personal data.
One of the central principles of the European Union’s new General Data Protection Regulation (GDPR or regulation) is its Accountability Principle: organisations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. Add the new ‘right to be forgotten’ and the new privacy principles of Data Protection by Design1 and Data Protection by Default2 and one can conclude that managing compliance with the GDPR is going to be a challenge.