The General Data Protection Regulation (GDPR) is the most important change in international data privacy regulation in 20 years and is the latest in a series of European Union (EU) parliamentary measures created to place the highest levels of protection around personal data.

Many U.S. organizations have questions about how GDPR impacts them, especially pertaining to the types of personal data they have, how the GDPR defines personal data, and the new protection laws against that personal data. As the GDPR enforcement date begins May 25, 2018, LBMC Information Security wants to make sure your organization is prepared. Here are some GDPR basics that are important for your organization to know.

GDPR Origins

As the EU has a long history of working to protect consumer privacy, they established the GDPR in hopes of being a global leader in these efforts. The guidance that led to the regulation development was tested through two major legal challenges, which eventually resulted in the need for GDPR.

Who’s Affected by the GDPR?

GDPR applies to all companies processing and holding personal data of data subjects residing in the EU, regardless of the company’s location.  This impacts many areas of an organization, including legal and compliance, technology, and data.  U.S. organizations should take notice and determine the applicability of GDPR to their company. If applicable, U.S. companies need to ensure they are in compliance with the regulation as failure to comply can result in strong penalties.

How LBMC Information Security Can Help

LBMC Information Security can help answer GDPR questions and offer guidance for determining if your organization is a controller or processor under GDPR (or both), direction on whether you need to assign a Data Privacy Officer, and understanding how GDPR can impact your organization even outside of the European Union. LBMC Information Security’s experience in data and information security compliance under various frameworks (ISO, ITIL, COBIT, NIST, HITRUST CSF, etc.) can identify the gaps between GDPR requirements and an organization’s current security posture. LBMC’s GDPR compliance services and methodology includes:

  • Discovery— We work with you to determine the types of data obtained, stored and/or processed, including the following activities:
      • Review existing data classification policy
      • Evaluate existing data labeling processes
      • Develop an inventory of the nature and type of sensitive data in the organization
  • Impact Analysis—In this step, LBMC works to determine the applicability of GDPR to your organization, as well as identifying any potential gaps by finding answers to questions such as these:
      • Do you store, process, or transmit data on EU residents?
      • Is there a legal basis for processing the data?
      • Do you have consent for the data in your control?
      • Where does the in-scope data go when it leaves your organization?
  • Reporting—Once the impact analysis is complete, LBMC will report on GDPR applicability, gaps, and recommendations for the organization

If you’re ready to explore whether your organization will be affected by GDPR and how to maintain compliance, contact the LBMC Information Security team today.