If you do business internationally, chances are your privacy processes and procedures must hold up to the new General Data Protection Regulation (GDPR) regulations and requirements that went into effect on May 25, 2018.
This European Union (EU) regulation, intended to give people more control over their personal data and protect that information from risk, applies to any organization that conducts business in the EU. The GDPR is a complicated framework and represents the most sweeping change in data privacy regulation in decades. Many U.S. companies are struggling to meet its requirements.
You need an information security and compliance partner you can trust to help you navigate the GDPR.
Who Must Achieve GDPR Compliance?
With the extended jurisdiction of the GDPR comes the biggest change to the regulatory landscape of data privacy in decades. GDPR provides one set of data protection rules and applies to all companies processing the personal data of people residing in the European Union, regardless of the company’s location.
The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the Union, where the activities relate to offering goods or services to EU citizens (even if payment is not required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.
What is Personal Data?
According to the GDPR, personal data is any information that relates to an identified or identifiable living individual. If different pieces of information can be collected together to lead to the identification of a particular person, this information also constitutes personal data.
Examples of personal data are as follows:
- Name and surname
- Home address
- Email address
- Identification card number
- Location data (for example the location data function on a mobile phone)
- Internet Protocol (IP) address
- Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
What Constitutes Processing of Data
Processing of data pertains to operations performed on personal data, including by manual or automated means. This covers a wide range of functions including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The GDPR contains a number of new requirements for businesses. Failure to comply can expose your business to the risk of substantial GDPR fines — up to four percent of global revenues for the most serious infringements, such as not having sufficient customer consent, according to the EU GDPR Information Portal.
The new requirements include:
- Consent. Before any personal data can be processed, your company must receive consent from the individual. The consent can be withdrawn at any time.
- Breach Notification. Supervisory authorities must be alerted to personal data breaches within 72 hours of your company becoming aware of it.
- Right to Access. Individuals have access to their personal data and can request a copy of it.
- Right to be Forgotten. An individual may request that your company erases their personal data and stops processing it.
- Data Portability. Individuals can request a copy of their personal data in a format that can be transferred to another company.
- Data Minimization. Your company can only hold and process the data absolutely necessary for the task at hand.
GDPR Compliance Assessment
Sword & Shield leverages our experience in data and information security compliance under various frameworks (GDPR, NIST, HIPAA, ISO, ITIL, etc.) to identify the gaps between GDPR requirements and your current security posture.
With the regulation recently going into effect and regulators announcing imminent GDPR fines, it’s time to understand your status and remediate your gaps. Organizations at varying stages of readiness can rely on Sword & Shield to provide clarity around GDPR compliance.
We Get to Know You
Sword & Shield employs its more than 20 years of information security and compliance expertise to partner with you to determine your status and assist you with fulfilling GDPR requirements. We get to know you through the following:
Sword & Shield reviews your documentation such as policies, procedures, and records to determine if GDPR requirements are being met.
We interview your team members to determine if controls are in place and operating effectively, and to evaluate knowledge of controls.
- Evidence Gathering
We collect and review documented policies and procedures as well as interview findings to assess accuracy and compliance with the GDPR.
What our GDPR Assessment Includes
We are uniquely qualified to perform your GDPR assessment based on our ability to get to know your organization, systems, processes and documentation, and apply this information to GDPR using our compliance expertise. Sword & Shield’s GDPR assessment services include the following:
- Gap Analysis against relevant GDPR Articles
- Personally Identifiable Information Identification
- Incident Management Process Review
- Vendor Management Practices Review
- Information Classification
- Data Retention Review
- Policy and Procedure Review
Let Sword & Shield help you to determine your data privacy and security needs, and implement safeguards to meet them.
GDPR Compliance Services Deliverables
Sword & Shield identifies gaps between your current policies, procedures, systems, and applications relative to the GDPR. The results of the analysis are used to create recommendations to assist with the remediation efforts required to reduce gaps and achieve compliance with the GDPR.
Following delivery of the final report, Sword & Shield provides you with your customized roadmap to GDPR compliance. The roadmap takes into consideration the controls that need to be addressed to lower risks and address compliance deficiencies.