Countdown to May 25, 2018

The imminent enforcement of the General Data Protection Regulation (GDPR) on May 25, 2018, replacing Directive 95/46/EC. The GDPR aims to harmonize data protection regulations within the EU and applies to organizations processing personal data of EU residents. It outlines obligations for organizations, such as the right to erasure, data portability, reporting security breaches, and the engagement of a Data Protection Officer (DPO) for larger entities.

Posted on: Friday, February 17th, 2017


Data flows and processes must be on every Director’s agenda right now. On May 25, 2018, Regulation (EU) 2016/679 of the European parliament and of the EU Council will come in effect repealing previous Directive 95/46/EC. General Data Protection Regulation (GDPR) provides for harmonisation of data protection regulations throughout the EU and would also apply to foreign companies processing personal data of EU residents. The regulation seeks protection of natural persons with regards to the processing of personal data and on the movement of such data.

Applies to?

Organizations need to figure out if they are within the general scope of the GDPR. Article 3 states that the GDPR applies:

“ the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union; and to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU.”


“Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

“Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…”

Obligations for organisations?

·        Article 17 – Right to erasure (‘right to be forgotten’) which means a data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

·        Article 20 – Right to Data Portability allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller.

·        Reporting of Information Security breaches within 72 hours to the relevant Supervisory authority in a member state

·        Organisations that employ more than 250 personnel, need to engage a Data Protection Officer (DPO) and register with the relevant authority for information and data protection in their country

What is the cost of non-compliance?

Non-compliant organisations could face fines of up to €20,000,000 or 4 per cent of global turnover for the previous year, whichever is higher, a devastating amount for any business.

How do I comply?

Ignorantia juris non excusat or “ignorance of law excuses no one”. The decision of where to store data, for how long, and what can be done with it, is a strategic responsibility rather than operational one. An appointed DPO must have in-depth knowledge of the organization’s architecture, people, and processes as well as data flows. They should have the right interpersonal skills and be respected by those they have to collaborate with, as the road to compliance could be an uphill struggle.

Organisations must start by identifying data processing flows and where the customer data ultimately resides, how it is protected and who is responsible for it. An IT audit based on international standards is especially useful in this case. We at Kyte can carry out an audit of your data processing activities to identify gaps between your operation and the compliance requirements and then assist you to fill in these gaps.

Author: Owen Baldacchino


·        Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

·        Official Journal of the European Union L119/1 of the 4.5.2016

About the author:

This article was written by Owen Baldacchino, IT auditor with Kyte Consultants. At Kyte, we provide a wide range of advisory services to companies heavily reliant on information and communications technologies to achieve their business objectives. Click here for further information.


Raising standards since 2006.

Kyte Global, with clients in over 65 countries has established itself as a unique company providing a one-stop-shop to all your information security and compliance requirements.

At Kyte Global we attempt to add value in everything we do. Our services have evolved as a result of the growing needs of our clients. Regulations keep getting stricter, compliance requirements keep getting more onerous and clients find themselves spending more time addressing these issues rather than focusing on their business. At the same time, resources with the right knowledge and experience are hard to come by. Kyte Global tries to tackle these issues by providing a one stop shop to all the client’s needs. Kyte Global understands that Compliance is an effective way of ensuring that controls are implemented.

Internally, Kyte Global is organised in teams, each dedicated to a specific service, usually revolving around a specific standard or regulation. Some of these are PCI DSS, ISO 27001, GDPR, Internal Audit, AML, Gaming, Penetration Testing, Training to name a few. Each team is made up of trained professionals, all experts in their own field.

Over the years, Kyte Global has established partnerships with suppliers that develop and implement industry leading solutions so that it can make recommendations to clients who require such services or products. Kyte is proud to have a network of partners that can assist its clients, big or small, in virtually all of the industries it operates in.