Okay, so I've had to have several talks with C-suite folks regarding GDPR and why General Counsels probably gave them some bad advice. It's taken a while, but I think I have it down to a few bullet points. To save you a May from hell, here they are:
You can knock these out in a 2-minute elevator ride that will have you immediately dragged into the boardroom for a very long grilling, so make sure you have a plan before you open your mouth.
To be clear, there are expectations here that we need to understand from the legislation:
Recital (2) - The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
Recital (14) - The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data....
Both recitals in the GDPR are supported by Article 3 which emphasises the scope of the regulation -
1. ...processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. ...processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union...
Hence, rather than looking at 'establishment', I encourage us to focus on we being the 'controller' or 'processor'. If we are established or are a legal entity in the Union, GDPR applies. If we process any personal data of an individual who is in the Union, regardless that individual is an EU citizen or not within its internal market, the law applies.
A lot of privacy laws align with OECD Privacy Guidelines. GDPR is no exception. All these rules are based on a set of principles and these principles will become a standard over time as they develop into norms and expectations.
I would beware of boiling things down too much for your elevator pitch when dealing with laws, for example, any breach is only going to hit the maximum fine if the Supervisory Authority(s) agree that you've been "Very bad at your job and/or particularly naughty".
For training on GDPR ISC2 probably isn't the most competent organization on privacy matters - as a group we're not bad at all, but bottom line Security != Privacy.
Course wise... I'd recommend IAPP CIPP-E on the 'why', and ITGovernance's 'GDPR' Practitioner on the 'how'. Both were fine for me, ultimately all depends on your instructor. there are certificates for ITG and certification for IAPP, but these are probably mostly for fun unless you are lucky enough to be an auditor or a Lawyer. 😉 Even then I'm pretty sure the ITG c is just a, well done I turned up and answered some questions...
I've also seen the following https://pecb.com/en/education-and-certification-for-individuals/gdpr but no idea what it's like.
If we like, we can reference the below document for the degree in fines that the regulators may impose:
In EMEA, (ISC)² has a task force on GDPR which has published documents and conducted in 2017 12 GDPR workshops across the region.
If you are interested and a EU-based company see https://custom.cvent.com/1B8FF20CA3284DDD9E69582158291F1D/files/17684a62db084072a7d2c1cf91165ab8.pdf
for non EU based see https://custom.cvent.com/1B8FF20CA3284DDD9E69582158291F1D/files/50bd54f44c8e437881c6654cef09b63a.pdf
I was made "responsible" for GDPR in my company last week.
So, I've been trying to educate myself ... and this presentation from the EMEA task force is one of the most useful and approachable breakdowns of GDPR that I have seen so far.
Thanks for posting - it helped me
I really want to work a GDPR project and I am at a global organization that is doing it right now, but I have 2 years left on the cybersecurity program I am running. I really enjoy my work and I want to thank you guys for helping me keep abreast of developments with GDPR as I focus on delivering existing technologies.
It really is just FOMO.