The EU General Data Protection Regulation (GDPR) is all about data privacy, and extends the rights of all EU citizens in respect to their personal data.  Any organization selling goods or services to EU citizens and businesses will be required to comply.  It does not require US legislation to be passed to be applicable to businesses in the US.

GDPR is strict and far reaching.  There are certain parts of the regulation that will have a significant impact on how organizations do business with European customers moving forward:

  • Increased Territorial Scope

    Previously, territorial applicability of the directive was ambiguous. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of the company’s location.

  • Detailed and demanding breach notification

    Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”

  • Data Protection Officers

    If your core activities involve “regular and systematic monitoring of data subjects on a large scale.”

  • Tightens definition of consent

    Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action.

  • Broad view of what constitutes “Personal Data”

    Potentially encompassing cookies, IP addresses, and other tracking data

  • Empowers data subject and their rights

    Right to be forgotten, Right to data portability, Right to withdraw, etc.

  • Hefty fines for non-compliance

    Potential fines up to 20 million euros or 4% of the company’s annual turnover/revenue

  • The GDPR was approved and adopted in April 2016 and became enforceable on May 25, 2018. On that date, companies obtaining or storing personal data of EU citizens should adhere to the GDPR. As of now, there is no formal process for validating or proving compliance, therefore companies should take the steps to understand what Personal Data they possess, where it is stored, and how that data is obtained and protected. We can assist with this process.
    Our service will help you understand your current gaps and provide you a roadmap to become GDPR compliant. Our GDPR advisory services include the following steps and deliverables:

  • Scoping / Data Mapping

    Identification of where personal data (PI) is transmitted, and stored.

  • Gap Analysis

    Through interview, and analysis of policies and system configurations, identify current gaps, and provide recommendations of how to remediate the gaps.

  • Road Map

    We will provide you a road map for becoming GDPR compliant, including how the program should be set up, policies required, communication methods needed, etc.

  • Education

    We will present findings to management, and provide education regarding the GDPR, and how it applies to your company.

  • We can also help you with ongoing GDRP assistance, in the form of policy writing, assistance with remediation and gaps, and validation activities. While a formal assessment or official GDPR compliance certificate does not exist, we can help you obtain internal assurance about your compliance with the GDPR.

Kevin Abbott

CISSP, CISA, QSAInformation Assurance and Security Lead
Member of ISC2 and ISACA

Kevin is a partner at The Cadence Group, where he oversees the firm’s data security and privacy assurance services, including SOC Reporting, PCI Compliance, Penetration Testing, and GDPR services. Kevin regularly speaks at industry conferences and local chapter events on the topics of data security and compliance. Kevin has been with Cadence since 2008, and was previously with EY in their Houston and San Antonio, Texas offices.


Join the Cadence Team

We take great pride in offering a large degree of flexibility to our employees by hiring independent professionals who can manage themselves.

View Open Positions