Data as an Enabler

Data as Main Priority

Recently, Commissioner Breton stated the following:

‘As a European Commissioner, the question I’ve been probably asked the most in the last few weeks is: what is your priority?

Is it 5G? Is it artificial intelligence? Is it industry? Services? Audiovisual? Tourism? Space? Defence? Obviously, all these topics are priorities.

But for me, their foundation, their common denominator, what runs through all their activities from end to end, is data.’


The Commissioner of Internal Market (DG GROW), Digital Single Market (DG CNECT) and DG Defense & Aerospace could not be clearer. Data is the main priority, as it is the dynamic and all-present dimension that is relevant everywhere in this Digital Age. It can bring huge opportunities, benefits and gains. It is therefore high time that people, society and organizations in any sector start to organize themselves to grab this potential, in an European and collaborative way.

No surprise that the Commission published an ambitious Data Strategy [1] last month.

Common European Data Spaces

In the Data Strategy, the Commission mentions it will support the establishment of common European data spaces in nine (9) strategic sectors & domains of public interest:

  1. Industrial (manufacturing) data space;
  2. Green Deal data space;
  3. Mobility data space;
  4. Health data space;
  5. Financial data space;
  6. Energy data space;
  7. Agriculture data space;
  8. Data spaces for public administration, and;
  9. Skills data space.

The fact that the Commission already indicates these are strategic sectors and domains of public interest implies that cybersecurity is fully in scope and on the radar:

‘The data spaces will be developed in full compliance with data protection rules and according to the highest available cyber-security standards.’

However, the Commission also has the vision of openness:

‘The vision of a common European data space implies an open, but assertive approach to international data flows, based on European values.’

Let’s zoom in to these relationships between data and cybersecurity, while aiming for an open society as envisioned.

Cybersecurity in Data Context

Data protection, whether personal data or non-personal data, is one of the main principles in this Digital Age. Data control, access, use, sharing, management and other functionalities all need the non-functionals that are data protection and cybersecurity.

When done right and therefore in an transparent and accountable way, cybersecurity can greatly contribute to the appropriate levels of data processing and protection. Therefore, cybersecurity is a prerequisite part of the solution to demonstrate trustworthiness and build and sustain trust.

Data in Cybersecurity Context

Data is a great asset to enable, facilitate and optimize cybersecurity. In all technical layers and dimensions as well as cross-layer and cross-dimensions. It can give everything and everybody a ‘contextual digital pulse’. With data and related attributes one can also identify anomalies, fraud and other risk.  

Furthermore, one can add attributes in a chain of trust in order to obtain the appropriate impact-based level of trust necessary with the then relevant context. For instance for digital identity, authorization, relational or transactional purposes.

Data-centric security is not yet that much on the radar but is a prerequisite to support human-centric, secure, safe, trustworthy and beneficial digital ecosystems – either cyber or cyber-physical –. More and more data-centricity is recognized and deployed as such. Data is part of cybersecurity, and vice versa.

Principle-based Frameworks

The digital and data domains are highly regulated nowadays. In the last years numerous new regulations respectively updated regulations have come into force. Does this mean one cannot act and maneuver in this Digital Age without the need of continuous legal assistance? We believe the answer is no, and even better: it is up to you to help out! Here is why.

Generally, all these regulations that concern data, cybersecurity or both are principle-based frameworks. Each leave room for you to design, build and deploy your own dynamic architectures and systems within such regulatory frameworks, as long as one explains and documents it well and keep those up to date. The main ingredients that one needs to take into account? These four (4) main principles, all By Design and By Default:

  1. Data Processing
  2. Data Protection
  3. Cybersecurity
  4. Data Management

The regulations mentioned in the landscape visual below provide meta-frameworks in domains such as finance (PSD2), critical infrastructure, vital systems and essential servives (NIS), personal data processing, protection and management (GDPR), identity (eIDAS), non-personal data processing and management (FFDR), open data (Open Data Directive), cybersecurity (CSA) and so on.

Each of these regulations has three to four of the main principles incorporated. Based on these, one can further detail and balance out various layers of subprinciples until some rule-based parts and related governance emerge to organize and balance the appropriate organisational and technical measures you look for, provide, procure, implement or monitor. It’s all about using your own and others’ inter-disciplinary common sense.

Get Involved

Cybersecurity is mentioned almost 20 times in the Data Strategy. The Commission also mentions that the new data paradigm where less data will be stored in data centers and more data will be spread in a pervasive way closer to the user ‘at the edge’. This brings new challenges for cybersecurity. However, it also brings massive opportunities, for all.

So, do not wait for a regulator, authority or court to come with ‘further rules’, as they will generally not. It is up to you to help load these regulatory frameworks, and make the most benefit out of the capabilities, data and other assets available in this Digital Age, while observing continuous appropriate dynamic accountability on the main and related (sub)principles and rule-sets. With this, we can build, deploy, use, enjoy and even export the most trustworthy products, (eco)systems and services in the world. As Commissioner Breton formulates:

Europe has everything it takes to lead the technology race.’

In our own words: Europe has great capabilities.

Arthur van der Wees, Arthur’s Legal, Strategies & Systems

Reference: [1]

Solving Current & Emerging 21st Century Challenging Problem Sets Require Team Work. Nothing Less

Everything is connected

Alexander Von Humboldt, the 18th-century scientist and explorer, world famous in his time, was the first to explain the fundamental functions of the mountains and rain forest for the ecosystem and climate, claiming that the world is a single interconnected organism.

Everything is connected. This is the concept of nature as we know it today. According to Von Humboldt, everything, to the smallest creature, has its role and together makes the whole, in which humankind is just one small part.

Introducing Arthur Strategies & Systems

Arthur Strategies & Systems believes that the 21st Century, with its human, societal, ecological and economical challenges clearly reconfirms and re-establishes Von Humboldt's view and statement. We are all connected in this dynamic world, and to an increasing extent interconnected and hyperconnected. We help design, build, deploy and sustain these ecosystems, and ecosystems of ecosystems.

Meanwhile, in this Digital Age, technology has outstripped our societal, economical and legal frameworks. How to catch up, and keep up? That's one of the other key missions of Arthur Strategies & Systems.

We have been working on these challenges for two decades already and have ramped up on those, and have even chosen to decicate a seperate website on it:


Digital technology changes the world at a fast pace. Yet, Humans are underrated. Build, enhance & retain trust with the combination of human brain power, purpose & passion, machines, algorithms, data & accountability.

We call that the Multiplicity Approach: a dynamic symbiotic combination of diverse groups of people that work together with diverse groups of human-centric machines, algorithms and capabilities to identify, address & solve problems, make & execute decisions, and double-loop to never-stop-learning.

This is Team Sport

This is a Challenging Problem Set. There is No One Solution. There is No One Group with the Answer. There is No One Technical Fixture. This is about Working Together, as Teams. To Achieve Outcomes. This is a Team Sport.

Therefore, Arthur Strategies & Systems operates as a distributed, interdisciplinary organisation, where we build, organise, deploy and manage special teams; per program, per project and per event.

In order to work on solving the current and emerging 21st Century challenging problem sets, we need (A) to team up with all the human brainpower available; from young and old; from junior to senior, left side of the brain AND the right side of the brain; from anybody, and (B) responsibly augment and otherwise amplify all that knowledge, experience, lessons-learned, competences and capabilities, for good.



Privacy & Other Human Values are an Opportunity, Not a Hindrance

Data is Addictive

Many have claimed that data is the new oil. While organisations are leveraging the infinite possibilities of data analytics, users happily consent to the giving away of their private information – including sensitive and other personal data – in exchange for basic internet tools and services (such as email and chat) as well as targeted-ads-selling platforms (such as numerous search engines and social networks).

However, with the new EU general data protection regulation (GDPR) shortly entering into application, as well as the recent excessive personal data sharing revelations and related behavioural analytics and influencing, privacy and related human values and rights are coming into the bright spotlight. Does the GDPR and other human rights frameworks present a hindrance for businesses though?

Turning Backs on Data Absorbers

For the past period Facebook’s data scandal has been making headlines after it emerged that the social network allegedly shared information about 87 million of its users with Cambridge Analytica, a political consultancy firm, which used the data to influence presidential elections in the U.S., amongst others. A few days later, Facebook’s chief said that all its 2.2 billion users should assume that their data has been compromised by third-party apps.

The revelations have raised a wave of criticism of Facebook’s and other Data Titans’ personal data protection practices and prompted users and organisations to close their social media accounts, while governments have intensified their calls for tougher regulation and harder taxation of these data absorbers.

Solving the Riddle

While the current increased attention to on-line privacy is noteworthy, the solution to the challenge posed does not lie as much in turning our backs on social media. It does also not in only tougher regulation.

Undoubtedly, in the context of future technological developments, users, organisations and governments will face similar challenges related to the protection of users’ privacy. Therefore, in order to remain relevant and successful in this digital age, we need to get privacy, data protection and other human values rights relevant in the Digital Age, organised-well and enforced the first time around.

Understanding Privacy

Next to calls for proper enforcement of the Rule of Law, both users, customers as well as vendors and other organisations processing personal data of others (either data controller or data processor) need a better understanding of issues pertaining to security of privacy. It is essential that users become aware of the importance of their privacy and recognise its value in the on-line environment, just as they do in the physical world.

In becoming more vigilant they be supported with, should look for and give preference to fully-transparent and privacy-enhancing products, systems and services. In response, vendors need to embrace their new role as: The Custodians of Users’ Personal Data.

This also means that they should build products, systems and services with privacy & security by design and by default, as opposed to bolting those features onto existing products, systems and services. The era of build fast fixed later is over.

Privacy as a Unique Selling Point

Platforms, services providers and other vendors should communicate transparent user-centric practices and related business models to their customers. If customers accept the approach, such privacy and security features will inevitably become important enablers for building mutual trust.

Ultimately, vendors’ focus on customers’ privacy can and should serve as a unique trust point. It will provide appropriate accountable organisations with a competitive advantage opportunity, rather than posing a hindrance. The same goes for being transparent and accountable regarding other human values.

Hence, in order to remain relevant, organisations should embrace privacy, data protection and other human values, and think of them as an integral part of the business model.

Side note: Arthur’s Legal is currently running free webinar sessions on Privacy in IoT. These webinars are open to public and provide an ideal starting point for understanding and addressing privacy- and security-related issues in context of this Digital Age. Further details and sign-up form are available at

It Could Happen to You

State-of-the-Art Security & Privacy: Merely Needed, Continuously

For organizations around the world, implementing state-of-the-art security and personal data protection (using both technical and organizational measures) is now a must. In the wake of the recent Equifax incident, this article outlines why data security and privacy accountability is important and how organizations can responsibly manage their sensitive data.

You Got Equifax-ed!

On September 7, 2017, Equifax disclosed arguably the most severe personal data breach ever, affecting up to 145.5 million U.S. consumers, between 694,000 British consumers, and approximately 100,000 Canadian residents. The global consumer credit reporting agency announced that between March 2017 and July 2017 hackers could access consumers’ personal data, including names, social security numbers, birthdates as well as driver license numbers. Also, the details of up to 209,000 credit cards were reportedly compromised.

While previous breaches have exposed the details of more people overall, the Equifax incident is significant due to the highly sensitive nature of the leaked information. Although some of the data is of temporary nature and can easily be refreshed (such as credit card numbers), other types are more difficult to change (including addresses or social security numbers).

It’s not difficult to imagine why the leak of unchangeable “lifetime data, including customers’ names and birthdates, is extremely alarming to consumers. As a result, the incident has been followed by significant media outcry, inspired the introduction of legislation, and sparked investigations from the FTC and FBI. Not to mention the value of Equifax’s stock fell by a third in the days following the disclosure.

Another Case for Encryption

Due to the extent of the Equifax data breach, it is not surprising that it took less than two weeks for the first privacy regulator to take legal action. The attorney general of the state of Massachusetts filed a lawsuit against Equifax under to the state’s consumer protection laws.

The complaint alleges that the credit reporting agency failed to adequately secure its portal after the public disclosure of a major vulnerability in the open-source software used to build its consumer redress portal and failed to maintain multiple layers of security around consumer data. It also argues that the credit rating agency violated the law by keeping Massachusetts’ residents’ information accessible in an unencrypted form on a part of its network accessible from the internet.

Given the fact that the company collects and aggregates the information of more than 800 million individual consumers worldwide, it is disturbing to learn that encryption was not being used effectively by its IT security team in this case. The lack of encryption is even more surprising when viewed through the lens of the Equifax’s main business activities: acquiring, compiling, analyzing, and selling sensitive personal data.

The Massachusetts’ claim alleges that Equifax’s market position and business nature obliges the company to go beyond the regulations’ minimum requirements and “implement administrative, technical, and physical safeguards […] which are at least consistent with industry best practices.” As one of the most commonly used and best-practice security measures, the encryption of sensitive consumer data should have been ensured.

From What If …

What if the Equifax incident had occurred a year later?

In the first months of 2018, several important pieces of new EU legislation will go into effect, including the General Data Protection Regulation (GDPR) and the directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). Both laws bring about significant changes in the domain of data protection and cybersecurity and introduce a new set of requirements with which companies must comply. Had the Equifax breach occurred in July 2018, the agency would likely face legal claims pursuant to GDPR and NIS Directive.

The NIS Directive aims to achieve a high common level of security of network and information systems within the EU. In doing so, its provisions apply to all providers of digital services active in the EU as well as operators of essential services active in the Union. GDPR, on the other hand, places stringent data protection and security obligations on anyone handling personal data of EU citizens.

Similar to NIS Directive, the GDPR requires companies processing personal data to implement appropriate technical and organizational measures that ensure a level of security appropriate to the risk, taking into account state-of-the-art costs, purposes, and impact. In this respect, the regulation regards encryption as one of the appropriate technical measures to be implemented. Failing to encrypt customers’ data properly, Equifax would likely be non-compliant with its relevant provisions.

GDPR also requires an organization to notify authorities within 72 hours of becoming aware of the breach, so it’s Equifax’s disclosure of the data breach more than six weeks after it occurred would certainly not comply with the obligation to notify the supervisory authority without undue delay. Once again, had the incident occurred a year later, failing to act in accordance with the law could result in Equifax being charged with penalty fees of up to 4 percent of its total worldwide annual turnover, which would amount to about EUR 130 million, per breach.

Data Protection Impact Assessment

Both breaches could have been prevented had Equifax diligently carried out the Data Protection Impact Assessment (DPIA) required by the EU GDPR. The DPIA is a legal requirement under the GDPR for organizations processing personal data in a way which is likely to result in high risk to the rights and freedoms of natural persons. Though it is not only important from the legal compliance perspective, the DPIA can also provide organizations with a systematic description of personal data processing, including special categories of data, an assessment of its necessity and processing, as well as identification of risks and the measures in place to address them.

In other words, DPIA serves as a valuable strategy and validation tool for testing and assuring data and security strategy. It provides organizations with many benefits, including the potential for structural savings, data minimization, and scalability of the business model. Hence, based on the extent of the incident it is clear that a diligently carried out DPIA would and should have raised plentiful red flags for Equifax to address.

It Could Happen to You

Given the thousands of UK and Canadian citizens who were also affected by the Equifax incident, some have claimed that the filing of the lawsuit by the Massachusetts attorney general may just be the tip of the iceberg. Indeed, it may as well be the case. At the same time, however, there remain thousands of organizations processing sensitive personal data which constitutes an essential part of their business.

Irrespective of the new legislation entering into application in 2018, if organizations have not started addressing the issues of security and protection of personal data of their customers, the Equifax saga may in the end only serve as an overture to a swiftly developing and extensive narrative featuring a growing number of unprepared characters.


You don’t know what you don’t know


IT teams generally use encryption to enable better security and data protection. However, in the hands of malicious parties, encryption can be utilized as a tool to prevent you from accessing your files and data. We have been aware of this kind of cyberattack for a long time, but the most recent attack by the WannaCry ransomware cryptoworm was extensive, global and on the front page.

Under any circumstance, a ransomware exploit is terrible for an organization. The preliminary impact can cause extensive downtime and may put lives and livelihoods at risk. However, in the latest attack several hospitals, banks, and telecom providers found their names mentioned in the news as well, suffering damage to their reputations and losing the trust of patients and customers alike. For a thorough summary of the events, we refer you to the many articles, opinions and other publications about the WannaCry ransomware attacks. This article covers the rarely discussed secondary effects of ransomware attacks.

Data exploits

What should you do if you discover your data has been encrypted by ransomware?

When there is a loss of data control, most IT teams immediately think of avoiding unauthorized data disclosure and ensuring all sensitive materials remain confidential. And indeed, these are sound measures.

However, what if you can retrieve your organisation’s data because a decryption tool was made available by a third-party (experts recommend strongly against paying the ransom)? One may think that business can continue as usual and it can be assumed the data was not compromised or disclosed, right?

Who touched my hamburger?

Unfortunately, if no mechanism was in place beforehand to track if the retrieved data had maintained its integrity during the ransomware timeframe, one simply does not know. Thus it will not be clear whether it has been modified, manipulated, or otherwise altered. Are you willing to still eat that hamburger?

Furthermore, one does not know whether a copy has been made, either in part or as a whole. And, if a copy was made, IT teams cannot track where it is, and whether it left regulatory data zones such as the European Union or European Economic Area.

Secondary effect of ransomware

The loss of control described above is the secondary effect of a ransomware attack, which may be even more far-reaching than the original wave. With very little information about what happened to the data during the attack, it is up to the respective data controller or data processor to perform analysis on the long-term impact to the data, data subjects, and respective stakeholders.

Under the Dutch Security Breach Notification Act (WMD), established in 2016, data integrity breaches are a trigger to initiate the notification protocols, in the same way as confidentiality breaches and availability breaches are triggers. Under Article 33 of the General Data Protection Regulation (GDPR), loss of control is also a trigger to notify the data protection authorities.

In most cases it will be very difficult to demonstrate accurately that the breach has not resulted in a risk to the rights and freedoms of the respective natural persons (or as set forth in both the GDPR and WMD, the breach must not adversely affect the data, or adversely affect the privacy of the data subject), obligating the data controller to notify the authorities.

Besides notification, what other measures should be put in place to monitor irregular activities, and for how long? The window of liability for any identity thefts resulting from the breach will remain open for quite a while, so mitigating risk should be on the top of the priority list.


Encrypting data and maintaining the encryption keys on site would not have spared an organization from falling victim to such an attack. However, it would enable the exposure to be significantly reduced. This would allow an organization to convey, with confidence that, by maintaining the original encryption keys on-premises, they were in complete control of the data, even when it was encrypted by the attackers using another set of keys.


The GDPR is aimed to give data control back to the data subjects. Encryption is mentioned four (4) times in the GDPR, which will enter force within one year, on 25 May 2018. It is explicitly mentioned as an example of a security measure component that enables data controllers and data processors to meet the appropriate level of state-of-the-art security measures as set forth in article 32 of the GPDR.  in real-life examples such as WannaCry and similar ransomware hacks it can also make the difference between control and loss of data, and the associated loss of trust and reputation.

The GDPR it is not about being compliant but about being accountable and ensuring up-to-date levels of protection by having layers of data protection and security in place to meet the appropriate dynamic accountability formula set forth in the GDPR. Continuously.

So, encryption can not only save embarrassing moments and loss of control after the ransomware or similar attacks, but it can also help organisations to keep data appropriately secure and therefore accountable.

BEYOND THE TIPPING POINT: Technology is now a highly regulated domain

 Can Technology-Centric Standards Cope With User-Centric Regulations, such as the GDPR?


Technology-driven change

Technology changes the world at a fast pace. Internet and web services are showing this already on a daily basis and massive scale. Technology makes innovation possible in society and in our economy. Cloud computing, data analytics and Internet of Things (IoT) will expedite this pace by hyper-connecting people, organizations and data with billions of objects.

Technology-centric versus user-centric compliance?

More and more companies and other organizations are picking up speed to explore how to benefit from digital technology. From an information security perspective, for more than a decade organisations (whether provider or customer) have taken steps and implemented organizational and technical measures in order to seek and obtain compliance and assurance regarding various international information security standards, such as the ISO 27000 series, SSAE 16 SOC series. From a technology- and process-centric perspective that makes a lot of sense.

However, with the recently adopted user-centric EU General Data Protection Regulation (GDPR), just being compliant to international or other standards is not enough and would actually mean regulatory non-compliancy. A regulation prevails over standards, and the GDPR is not a standard. Not being in full compliance to regulation such as the GDPR can now lead to enormous penalties of up to 4% of the annual global turnover. The GDPR is applicable to any organisations in the world that is active within the EU, not just EU organisations.

So, it is time for these organizations to look beyond the former comfort zone called information security and related standards. Now they must ensure true compliance with the demanding user-centric requirements set forth in the GDPR. Where standards traditionally focus on technology-centric processes and controls, regulation such as the GDPR – soon to be followed by the upcoming ePrivacy Regulation – is user-centric, including but not limited to the data subject itself and its related data and knowledge.

In this article, we will navigate you through some essentials steps to becoming GDPR compliant.

Navigation Essential Nr. 1: Personal Data Life Cycle

In the life cycle of data, most organizations are either data controllers or data processors: they create, collect, process, derive, archive and (ideally) delete data. From the perspective of data protection, information security standards focus on the company’s internal processes and technology processing the data once received or otherwise obtained. Such standards aim to ensure that data receives an appropriate level of protection within the organization’s infrastructure and is prevented from unauthorized disclosure, modification, removal or destruction.

By contrast, GDPR prioritizes the rights of the data subject (the individual), with regards to the legal basis of processing of the individual’s personal data and the legitimate purpose to do so, in each of the phases of the personal data life-cycle. By having combined both the user-centric and data-centric approach, the GDPR provides a higher benchmark for security in data processing than the current standards.

Navigation Essential Nr. 2: Data Travels

This approach makes a lot of sense and is a prerequisite if you take into account the way that data travels. Where information security was generally only aimed for internal processes and related controls, this is the age of digital data being transmitted, exchanged and otherwise processed around the world, any time, (almost) any place. Therefore information security now should be much more about data control, access, use and digital rights management.

The GDPR has taken these points into account, but most organisations (and data subjects) are not aware of the fact that data travels far beyond the organization, and may be obtained and otherwise processed far beyond the back-end servers of the organization. Think about sensors picking up a data subject and sending related personal data through devices and gateways to various web servers and then the back-end servers. This multi-dimensional element is generally not yet very much acknowledged or addressed.

Navigation Essential Nr. 3: Data Protection and Security

Likewise, GDPR takes a more stringent stance towards data protection and security requirements. While the current standards focus on determining and preventing risks by putting in place a set of internal policies, processes and controls, GDPR requires organizations to assess the level of protection from a wider perspective. The GDPR offers an equation for finding the appropriate level of protection, per purpose, per impact assessment, et cetera.

The level of having state of the art security measures (both technical and organizational) in place is the benchmark in the GDPR, where (i) the related cost of implementation, (ii) the purposes of personal data processing and (iii) the impact on the rights and freedoms of the data subject (also good, bad and worst case scenarios) need to be taken into account, whether one is either data controller or data processor. We call this the appropriate dynamic accountability (ADA) formula:

State of the art security – Costs – Purposes + Impact

Although the current information security standards aim for ‘achieving continual improvement’, the GDPR aims to ensure up-to-date levels of protection by requiring the levels of data protection and security to continuously meet the ADA formula.

Navigation Essential Nr. 4: Encryption

Encryption is mentioned four (4) times in the GDPR. It is mentioned as an example of a security measure component that enables meeting the state of the art formula requirements. Encryption of data plays an important role in ensuring security. Moreover, applying appropriate encryption can enable personal data to be securely exchanged and used in the cloud, cloud edge, IoT and other digital ecosystems while preventing unauthorized processing and access to it. While for instance the 27001:2013 requirements make no explicit references to encryption, the GDPR recognizes the benefits of encryption and prefers it as a method of facilitating the security of processing data and mitigating inherent risks, adversely effects and other negative impact.

For example, in countries that already have security breach notification regulation in place regarding personal data (such as the Netherlands) enforced by the local Data Protection Authority (DPA), encrypting personal data means that in case of a breach the data subjects do not need to be notified (other than to the DPA itself), which is a requirement if such personal data is not encrypted. Although not yet made clear by the EU data protection authorities, this is likely to be similar for breach notification required under the GDPR.

Compliance is not what it used to be

Having analyzed the state of play of international information security standards and its frameworks, we can safely conclude that GDPR raises the bar for personal data protection and related security by introducing user-centric and more specific data-centric requirements as opposed to process- and technology-oriented frameworks of standards.

Being compliant in the traditional way where compliance refers to compliancy and assurance of standards is not good enough anymore. Technology has become a highly-regulated domain in itself.

How to gear up?

Since the (2018) GDPR requirements are stricter than those of its (1995) predecessor, there is a lot to be done to ensure compliance with the GDPR before or by 25 May 2018, the date the Regulation enters into force. Organizations that are already ISO27k, SOC2 or otherwise compliant to information security standards should start performing various gap analysis and data impact assessments. In addition, organisations should (re)design and build multi-layered, interdisciplinary (data) architectures to ensure appropriate and accountable GDPR compliance and avoid those hefty penalties, which for large enterprise can amount to several billions of Euros.

The good news is that, once an organization does have those appropriate technical and organizational measures in place, it will significantly increase trustworthiness towards customers and stakeholders, and demonstrates next generation readiness.