There\u2019s no denying that GDPR completely redefined business with the European Union as we knew it.\u00a0At IDG Security Day, Jaspreet Singh, Partner \u2013 Cyber Security (Africa, India & Middle East) at EY, brought GDPR to the spotlight and helped understand this beast. Singh leads the GDPR practice for EY for two years now and has been instrumental in building out the practice.\u00a0The European commission took seven years to draft the law, and the number of iterations it has gone through - 1562 to be precise - surpasses any other law or regulation in history. GDPR is not something that loomed out of the blue in 2018. The regulatory laws were passed a couple of years ago.Watch Jaspreet Singh address India's top-notch security heads at the IDG Security Day & CSO100 Awards. Prefer to read the edited excerpts? Read on.\u00a0Singh highlighted that the European Union had a law called EU DPA from 6796. In 2011, the GDPR body was formed and the law was passed in April, 2016. The law came into effect on 25 May, 2018."The very definition of personal data has changed. Section 43(A) of the IT Act had six categories of Personally Identifiable Information (PII). GDPR twists this definition on its head - it states anything uniquely attributable to an individual is PII and needs to be kept safe," he explained.He stated that the reason why everybody is talking about GDPR is because of the penalties it attracts. In case of a data breach, an organization is liable to pay 4 percent of its global annual turnover as penalty, or \u20ac 20 million - whichever is higher. However, Singh pointed out that the penalty is not an absolute number. He highlighted that no organization has paid a penalty of this magnitude. \u00a0In case of a breach, EU legislative authorities will investigate and look at the intent of an organization - that's the maximum penalty they can enforce.\u00a0Consent and decoding 'the right to be forgotten'To highlight the significance of consent, Singh said: "Right to be forgotten is a very interesting clause, but it's very difficult to implement. If an employee leaves your organization and three years later sends you an email to delete all his data, will you have the capability of locating and deleting all the data?"\u00a0GDPR also chalks out the intricacies of consent - it has to be explicitly and freely given, and it has to be informed. "There are 99 articles within GDPR, and the working paper on consent is the most elaborate document on consent you'll ever find," said Singh.Mandates around breach notifications and appointment of a DPOAddressing the GDPR guidelines around breach notifications, Singh said that any breach has to be reported within 72 hours. "This becomes a challenge if SOC reporting has been outsourced to vendors," he said.GDPR also mandates the appointment of a Data Protection Officer (DPO), and the DPO has to report to the highest level of authority within an organization. Singh further highlighted the importance of CISOs knowing how information enters and leaves an organization.\u00a0Among the challenges faced by organizations in implementing GDPR, Singh said that keeping track of base data for analytics could prove to be a problem. Additionally, GDPR states that if you're collecting information from an individual, the information can only be used for the purpose for which it was collected. So, people now have to watch out for circulating unsolicited emails.