Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer III

GDPR Elevator Pitch

Okay, so I've had to have several talks with C-suite folks regarding GDPR and why General Counsels probably gave them some bad advice.  It's taken a while, but I think I have it down to a few bullet points.  To save you a May from hell, here they are:


  • The "establishment" text is misleading. EU don't mean what every other English-speaking person on the planet means when they say, "established". They mean if you offer any products or services to anyone in the EU or any EU citizen.
  • GDPR also extends to your employees and former employees.
  • GDPR isn't really a set of standards.  It's more a set of rights and penalties for violating those rights.  Gross negligence findings mean a maximum fine of the greater of 4% annual global turnover (sales, income, etc.) or €20 Million.  Simply failing to disclose a breach within 72 hours is a 2%/€10 Million fine.
  • EU follows a standard that if a person could possibly be protected by GDPR, they are.  That means customers, partners, business leads, and employees with dual-citizenship in the EU are also covered.

You can knock these out in a 2-minute elevator ride that will have you immediately dragged into the boardroom for a very long grilling, so make sure you have a plan before you open your mouth.

You only say it's impossible because nobody's done it and lived.
8 Replies
Viewer II

The duties of the Controllers, Processors and the best practices to determine data protection impact analysis (DPIA) should be in the context of the Pitch for professionals that may wear the shoe of DPOs (Data Protective Officer). Has the ISC2 any crash training programs for the GDPR in depth?
Newcomer III

To be clear, there are expectations here that we need to understand from the legislation:


Recital (2)  - The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.


Recital (14) - The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data....


Both recitals in the GDPR are supported by Article 3 which emphasises the scope of the regulation -

1. ...processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. ...processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union...


Hence, rather than looking at 'establishment', I encourage us to focus on we being the 'controller' or 'processor'. If we are established or are a legal entity in the Union, GDPR applies. If we process any personal data of an individual who is in the Union, regardless that individual is an EU citizen or not within its internal market, the law applies.


A lot of privacy laws align with OECD Privacy Guidelines. GDPR is no exception. All these rules are based on a set of principles and these principles will become a standard over time as they develop into norms and expectations.

Community Champion

I would beware of boiling things down too much for your elevator pitch when dealing with laws, for example, any breach is only going to hit the maximum fine if the Supervisory Authority(s) agree that you've been  "Very bad at your job and/or particularly naughty".


For training on GDPR ISC2 probably isn't the most competent organization on privacy matters - as a group we're not bad at all, but bottom line Security != Privacy.


Course wise... I'd recommend IAPP CIPP-E on the 'why', and ITGovernance's 'GDPR' Practitioner on the 'how'. Both were fine for me, ultimately all depends on your instructor. there are certificates for ITG and certification for IAPP, but these are probably mostly for fun unless you are lucky enough to be an auditor or a Lawyer. 😉 Even then I'm pretty sure the ITG c is just a, well done I turned up and answered some questions...


I've also seen the following but no idea what it's like.














Newcomer III

If we like, we can reference the below document for the degree in fines that the regulators may impose:


Guidelines on the application and setting of administrative fines for the purpose of the Regulation ... 

Community Champion

In EMEA, (ISC)² has a task force on GDPR which has published documents and conducted in 2017 12 GDPR workshops across the region.

If you are interested and a EU-based company  see

 for non EU based see


Newcomer III

I was made "responsible" for GDPR in my company last week.


So, I've been trying to educate myself ... and this presentation from the EMEA task force is one of the most useful and approachable breakdowns of GDPR that I have seen so far.


Thanks for posting - it helped me



Newcomer III

I really want to work a GDPR project and I am at a global organization that is doing it right now, but I have 2 years left on the cybersecurity program I am running.  I really enjoy my work and I want to thank you guys for helping me keep abreast of developments with GDPR as I focus on delivering existing technologies.


It really is just FOMO.

Newcomer II

Sounds spiffy, but like most European laws, this GDPR legislation will evolve as we come closer to May. We do not know the exact effect of the law in each country and there likely will be some differences on how each country interprets the law (likely influenced by how much business the country does with the US etc.). This law is not intended to hamper business, but to protect EU citizens from the US approach of collecting data first and asking questions later, especially wondering years later after a breach, why the PII was needed and collected in the first place. In my opinion, companies need to identity where they store PII and whether they need the PII. If they need the PII, protect it. The right to be forgotten will evolve, but companies will probably be able to cite US regulations for keeping some of the data - maybe just not in an application that is touched weekly for metrics.