GDPR Compliance and Its Impact on Security and Data Protection Programs

An Osterman Research White Paper Published January 2017

Executive Summary

Protecting personal data has been an important issue in the European Union (EU) for more than 20 years, and the recently ratified General Data Protection Regulation (GDPR) takes data protection to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes data on residents domiciled within the EU, including permanent residents, visitors and expatriates. Compliance is thus predicated on the geographical location of the individuals about whom an organization holds personal data, not the domicile of registration for the organization. 

This represents a sea change in how organizations must protect the personal data of anyone in the EU, and it may have implications for how they protect the personal data of non-EU residents, as well. Hence, the “General” Data Protection Regulation could better be called the “Global” Data Protection Regulation, and in light of the financial penalties associated with non-compliance, requires serious attention and action from all organizations doing business across Europe (including the United Kingdom post-Brexit), both in the EU and in the European Economic Area (EEA).


The GDPR is the new data protection regulation from the EU, released in May 2016 with an implementation date of May 25, 2018. Organizations anywhere in the world that collect or process personal data on EU residents must comply with the new regulation, or they will face significant financial penalties and reputational damage.

Complying with the GDPR requires both organizational and technological measures in response. Organizational measures include appointing a Data Protection Officer, policies and training on handling personal and sensitive personal data, and an approach for executing a Data Protection Impact Assessment (DPIA). Technological measures for protecting personal or sensitive personal data include data classification, data loss preventionencryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers (subject to certain conditions).

The GDPR is focused on the protection of personal data, not merely the privacy of personal data. Complying with the protection mandate requires a higher degree of proactive and far-reaching effort on the behalf of organizations that control or process personal data.

The enforcement date of May 2018 is less than 18 months away, and all organizations affected by the GDPR, by virtue of controlling or processing personal data on or about EU residents, must take immediate action to develop a coordinated organizational and technological response to address the new requirements.

Among the mid-sized and large organizations surveyed for this white paper, all of which will be subject to the GDPR, the majority (58 percent) are not sufficiently familiar with the wide scope of the regulation and the penalties it includes. Only 10 percent believe their organizations are “completely ready” to comply with the requirements of the GDPR.


A survey was conducted for this white paper, some of the results from which are included herein. However, all of the results will be published in a separate survey report shortly after the publication of the paper.

This white paper and survey were sponsored by Mimecast – information on the company is provided at the end of this paper.

Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 206 683 5683 • • @mosterman