Bradley attorney David Lucas was quoted in LegalTech News on the EU’s General Data Protection Regulation (GDPR) that some cybersecurity professionals believe doesn’t do enough to ensure adequate data security. While the GDPR goes into detail around how EU citizens’ data should be stored and managed, it is far less specific around what exactly companies should do to protect this data.
Lucas noted that many are “still waiting for guidance” from EU regulators on how to apply the cybersecurity requirements. He said there will likely be more specifics coming out of each member state, since the “GDPR provides minimum or base level standards” for security that each EU nation will likely build upon.
Lucas added that guidance is needed, given the uncertainty around how some requirements will apply. As an example, he cited the 72-hour breach notification requirement, noting that it is triggered only for a breach of personal data that could cause harm to the rights of EU citizens. “So the question is, what is the subjective determination of harm?”
The complete article, “Vague on Cybersecurity Requirements, GDPR Worrying Experts Over Security Gaps,” appeared in LegalTech News on June 19, 2018.