In the coming months, the General Data Protection Regulation (GDPR) will officially be enforced on May 25th, 2018, with heavy fines for some organizations—including those in the United States—who are not compliant with these regulations in time. For organizations in the U.S., these soon-to-be-introduced guidelines will require an individual’s consent before processing any personal data. It also restricts how long companies can store this personal data and requires this data to be erased within 72 hours when necessary.

There are specific key terms organizations may want to be familiar with to ensure the guidelines surrounding how businesses handle personal data are completely understood. These key definitions include:

Personal Data

In the General Data Protection Regulation, “personal data” pertains to any information that relates to a subject of data from an identifiable or already identified person. Personal data can reference any information that can identify an individual, including:

  • A name
  • Any location-related data
  • An identification number
  • Online identifiers
  • The specific physical, physiological, economic, cultural, social, mental, or genetic identifiers of a person

Personally Identifiable Information (PII)

Personally identifiable information (PII) may also be referred to as sensitive personal information (SPI). This is a common term used in privacy laws and information security, referring to information that can be utilized to locate, contact, or identify an individual.

This sensitive information can be used on its own or in conjunction with related information to personally identify an individual. It is a more specific definition of "personal data” as it relates to the General Data Protection Regulation.

 As Monique Mahahaes points out, regardless of the acronym or general terms being used to describe this data, U.S.-based organizations may need to realize that the GDPR can be applicable to them, as the data collected is identifiable.

Data Processor/Data Controller

The GDPR concerns both “Data Processors” and “Data Controllers,” which are two separate entities. Data Processors handle and process personal data for data controllers, who are responsible for the means of processing said personal data.

According to the GDPR, there will be specific legal obligations for Data Processors to follow and practice as an organization, including the obligation to keep records of all personal data and any processing activities that take place. If Data Processors experience a breach, they are required to report it to supervising authorities within 72 hours and will be held legally responsible.

As defined by Article 4 of the GDPR, a 'controller' is the person or agency that determines the purposes and means of processing personal data.   The 'processor' is the person or agency that processes personal data on behalf of the controller.

The GDPR also ensures that Data Controllers have strict obligations to make sure that any contracts held with processors follow GDPR guidelines.

Data Protection Officer (DPO)

Do you need a DPO? Can my DPO be hired from within? These are questions organizations are beginning to ask. Additionally, there have been discussions as to whether or not the DPO should have a legal background, though the regulation does not require a lawyer. the GDPR A Data Protection Officer supervises the proper and professional care and usage of personal data and information. Ultimately, DPOs occupy a position within an organization that advocates for the proper care of any personal data. 

As explained in Article 37 of the GDPR the designation, formally defined the role of Data Protection Officers, which will require that all businesses who buy or sell services or goods in the European Union (EU) must have a data protection officer employed within their company.

These professionals are responsible for conducting internal privacy assessments, ensuring that the organization is following data protection common practices and rules, and all other matters pertaining to data protection.


As they pertain to the GDPR, organizations who breach guidelines can be fined 4 percent of annual global turnover, or 20 million Euros. These penalties apply to both Data Controllers and Data Processors.

However, these numbers are not necessarily the set penalty amount. The fines are calculated based on several contributing factors, such as how severe a potential data breach could be based on a non-compliance incident.

File Integrity Monitoring and GDPR

Many U.S. organizations have a lot of work to do before May 25th, 2018, but all is not lost.  If your business deals with the EU market, now is the time to create effective processes to avoid lawsuits or financial penalties. File Integrity Monitoring (FIM) can help specifically with many of the GDPR policies, including providing support for data protection with reporting procedures and helping with baselining systems and tracking changes.

As stated in Section 2, Security of Personal Data,  the ability to ensure ongoing confidentiality, integrity, and restoration of the availability and access to personal data in a timely manner can be achieved with file integrity monitoring. Article 32 also states that encryption of personal data and the process for assessment and testing must also be achieved to be in compliance with the GDPR. A robust file integrity monitoring tool can do this and also help organizations achieve compliance with GPDR. 

To learn more, download the GDPR solution brief today.


Jacqueline von Ogden
Post by Jacqueline von Ogden
February 21, 2018
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time