The EU General Data Protection Regulation (GDPR) is all about data privacy, and extends the rights of all EU citizens in respect to their personal data. Any organization selling goods or services to EU citizens and businesses will be required to comply. It does not require US legislation to be passed to be applicable to businesses in the US.
GDPR is strict and far reaching. There are certain parts of the regulation that will have a significant impact on how organizations do business with European customers moving forward:
Increased Territorial Scope
Previously, territorial applicability of the directive was ambiguous. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of the company’s location.
Detailed and demanding breach notification
Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”
Data Protection Officers
If your core activities involve “regular and systematic monitoring of data subjects on a large scale.”
Tightens definition of consent
Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action.
Broad view of what constitutes “Personal Data”
Potentially encompassing cookies, IP addresses, and other tracking data
Empowers data subject and their rights
Right to be forgotten, Right to data portability, Right to withdraw, etc.
Hefty fines for non-compliance
Potential fines up to 20 million euros or 4% of the company’s annual turnover/revenue
The GDPR was approved and adopted in April 2016 and became enforceable on May 25, 2018. On that date, companies obtaining or storing personal data of EU citizens should adhere to the GDPR. As of now, there is no formal process for validating or proving compliance, therefore companies should take the steps to understand what Personal Data they possess, where it is stored, and how that data is obtained and protected. We can assist with this process.
Our service will help you understand your current gaps and provide you a roadmap to become GDPR compliant. Our GDPR advisory services include the following steps and deliverables:
Scoping / Data Mapping
Identification of where personal data (PI) is transmitted, and stored.
Through interview, and analysis of policies and system configurations, identify current gaps, and provide recommendations of how to remediate the gaps.
We will provide you a road map for becoming GDPR compliant, including how the program should be set up, policies required, communication methods needed, etc.
We will present findings to management, and provide education regarding the GDPR, and how it applies to your company.
We can also help you with ongoing GDRP assistance, in the form of policy writing, assistance with remediation and gaps, and validation activities. While a formal assessment or official GDPR compliance certificate does not exist, we can help you obtain internal assurance about your compliance with the GDPR.
CISSP, CISA, QSAInformation Assurance and Security Lead
Member of ISC2 and ISACA
Kevin is a partner at The Cadence Group, where he oversees the firm’s data security and privacy assurance services, including SOC Reporting, PCI Compliance, Penetration Testing, and GDPR services. Kevin regularly speaks at industry conferences and local chapter events on the topics of data security and compliance. Kevin has been with Cadence since 2008, and was previously with EY in their Houston and San Antonio, Texas offices.