Privacy Regulations

GDPR applies to all companies processing and holding personal data of data subjects residing in the EU, regardless of the company’s location. The enforcement date began on May 25, 2018, and because GDPR is the most important change in international data privacy regulation in 20 years, we want to make sure your organization is prepared. Many U.S. organizations have questions about how GDPR impacts them, especially pertaining to the types of personal data they have, how the GDPR defines personal data, and the new protection laws against that personal data.

LBMC Cybersecurity can help you answer these questions, determine if your organization is a controller or processor under GDPR (or both), decide whether you need to assign a Data Privacy Officer, and understand how GDPR can impact your organization even outside of the European Union (CCPA).

Our compliance and audit experts can help your organization with GDPR compliance in the following ways:

• GDPR Applicability Analysis—LBMC Cybersecurity can help your organization understand if GDPR applies. We will gain an understanding of your environment, your legitimate purpose in retaining personal data, and how you interact with EU citizens. This will involve a review of current data flows and interviews with key stakeholders.
• GDPR Readiness—A readiness assessment takes a deeper dive into how your organization is classified under GDPR. LBMC Cybersecurity will assist you in determining if you are a data controller or a data processor and walk you through determining which legal basis for processing personal data best fits your company. Once this groundwork is laid, we can find the impact of GDPR on an organization through understanding the current privacy maturity and data flows across an organization. We can also help you develop a list of GDPR compliance action items that should be taken, including defining whether your organization is a controller, processor, or both. We will identify key stakeholders and data flows, assess contractual obligations, and implement GDPR into compliance program initiatives.
• Data Analysis and Classification—Our team can help your organization define and establish a data classification and labeling system, as well as review any existing data classification policies to ensure the protection of personal data as defined by GDPR to map out an ongoing compliance strategy. By conducting an inventory of sensitive data types and performing an analysis of information and inventory of data, we can then help you implement the appropriate controls to ensure GDPR compliance.

There are many processes you can put in place to achieve GDPR compliance, but they all point to a larger concept—data governance.

Think of it like this:

If the processes your organization puts in place are puzzle pieces, data governance is the picture on the box you look to for guidance. It’s the big picture that makes all the little pieces make sense.

So, what exactly is data governance?

Data governance establishes an organization level control environment to govern how data is processed, used, stored, and protected. At a minimum, it encompasses the following:

• What information your organization processes
• Where it’s processed
• How it’s processed
• The controls in place to ensure secure processing

How Can You Implement Data Governance in Your Organization?

First, understand what type of information your organization processes. This may seem simplistic, but it’s the starting point that will give you the most accurate picture of necessary next steps in your data governance program.

You should accomplish this step using both technical and conceptual tactics. Meaning, you should conduct a technical analysis in which you analyze all databases and information systems to determine or verify the types of information processed.

Additionally, you should conduct a conceptual analysis in which you lay out business processes to determine what information is processed, and what happens to the information in the course of business.

You want to accomplish two things during this process:

1. Classify the information.

If your goal is GDPR compliance, you’ll want to focus specifically on “personal data,” which the GDPR defines as “any information relating to an identified or identifiable natural person (‘data subject’)”.

However, for other frameworks, you’ll also need to worry about confidential or private data, so be sure to classify all information in your system.

2. Create a data map.

In addition to knowing what type of information you process, you’ll also want to document when and where that information is processed.

The goal is to create a high-level depiction of the storage and processing of all data.

This is especially helpful when addressing Article 35, which requires performance of a data protection impact assessment (DPIA) when processing “is likely to result in a high risk to the rights and freedoms of natural persons.”

The DPIA requires “a systematic description” of processing as well as an assessment of the necessity and risks of those operations, including risk-reducing measures. Understanding what data you’re processing and how it flows through your organization will give you a head start on this requirement.

After you understand the “big picture” of when, where, and how your organization processes information, you’ll need to make sure you have the appropriate control environment in place to manage that information. Your data classifications will help drive the rigor of the controls established to protect the data. Data protection is one of the GDPR requirements.

The GDPR also enforces strict regulations for international data transfer. Creating a data map to see where personal data is transferred will allow you to understand the safeguards currently in place and the controls you may need to implement moving forward.

Additionally, you will need to establish policies, procedures, and infrastructure to address individuals’ privacy rights.

For example, Article 15 of the GDPR allows users to request copies of their personal information or have that information deleted entirely. Do you have the infrastructure to allow ease-of-access to that information? Additionally, do you have procedures in place to define how that information is to be gathered and transferred to the requester?

Finally, you’ll need to train personnel in the policies and procedures used to guide appropriate data management. Although you may be able to implement the correct documentation and infrastructure to assist GDPR compliance, if employees don’t know how to use those structures, they become irrelevant.

The goal of data governance is to gain control of your data—to understand exactly where it is, how it is used, and the mechanisms for maintaining its security. It provides a big-picture compliance strategy that accomplishes the little details of data management.

The GDPR is coming, and while data governance can help you understand the path to compliance, it can still be overwhelming. LBMC’s GDPR compliance services can help you analyze and classify your data as well as provide action items to prepare you for compliance. Contact us to learn how we can help you develop a GDPR-compliant control environment.