Page 290 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 290
collected under the agreement.
For more information on the Privacy Shield Framework
protections available to American companies, visit the FTC’s
Privacy Shield website at https://www.ftc.gov/tips-
advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-
framework.
European Union General Data Protection Regulation
The European Union passed a new, comprehensive law covering the
protection of personal information in 2016. The General Data
Protection Regulation (GDPR) is scheduled to go into effect on May
25, 2018, and will replace the older data protection directives on that
date. The main purpose of this law is to provide a single, harmonized
law that covers data throughout the European Union.
A major difference between the GDPR and the data protection
directive is the widened scope of the regulation. The new law applies to
all organizations that collect data from EU residents or process that
information on behalf of someone who collects it. Importantly, the law
even applies to organizations that are not based in the EU, if they
collect information about EU residents. Depending upon how this is
interpreted by the courts, it may have the effect of becoming an
international law because of its wide scope. The ability of the EU to
enforce this law globally remains an open question.
Some of the key provisions of the GDPR include the following:
A data breach notification requirement that mandates that
companies inform authorities of serious data breaches within 24
hours
The creation of centralized data protection authorities in each EU
member state
Provisions that individuals will have access to their own data
