Privacy - General Data Protection Regulation (GDPR)
What is the General Data Protection Regulation (GDPR)?
The GDPR privacy framework for protecting data is based on the EU-U.S. Privacy Shield framework, which establishes obligations on American companies to protect the personal data of EU citizens, as well as to comply with the requirements set forth by the European Court of Justice. Privacy Shield is comprised of six Privacy Principles. These Privacy Principles form the basis for the GDPR, upon which all other major regulatory standards encompass.
Does the EU Data Protection Regulation Apply to Me?
To find out if you need to comply with this EU data protection regulation, ask yourself: Do you hold any personally identifiable information of EU citizens (or citizen)? This can be almost anything: name, email address, bank account, credit card #, address, employer, etc.
If your answer is “yes,” you are within the jurisdiction of the GDPR.
Okay, that’s me… now what?
The scope of the regulation and requirements set for your organization are primarily determined by two factors:
- What personal information about EU citizens do you hold?
- Where is the information held?
Peeling back the Privacy Shield vs. GDPR onion…
Because the EU does not consider the US to have adequate privacy laws in place, US based organizations have no legal ground to stand on for GDPR compliance. US firms are stuck, but don’t fret just yet! Privacy Shield is the bus US companies jump on to ride into GDPR town.
Self-attesting and publicly stating compliance to Privacy Shield is a legally binding act that elevates a US organization’s legal status to adequately reach the EU’s privacy law requirements. Without Privacy Shield self-attestation, there can be no GDPR compliance for a US based firm.
The GDPR is a labyrinth of definitions, requirements and exemptions. Navigating these murky waters can often leave readers lost and confused. Ultimately you just want clarity on what you need to do and when you need to do it by to be or stay in compliance.
Unfortunately, the GDPR does not make this easy. Case in point, there are several definitions of the word “data” in the regulation depending on the requirement you are reading.
Where to turn?
Whether you are looking for a small nudge in the right direction or want to completely forget this EU data protection regulation exists, you are in the right place. The most successful engagements around the GDPR start with the right consultant who can map your organization’s particular journey to compliance.
Why Pivot Point Security?
Here at Pivot Point Security, we help guide our clients based on their needs and resources. Formed from the six Privacy Principles established in the Privacy Shield regulation, our approach keeps the ultimate goal (compliance) front of mind. Our proven process guarantees compliance will be met:
Phase 1 - Analysis Phase
- Scope determination
- Risk Assessment
- Gap Assessment
Phase 2 - Planning Phase
- Risk Treatment Plan
- Gap Remediation Plan
- Policy/Procedure Drafting
Phase 3 – Certification/Maintenance Phase
- Gap Remediation Activities
- Data Privacy Training
- Completion of Materials for Submission (to regulatory bodies; where applicable)
- Continuous Improvement/Monitoring
The Results of Working with Pivot Point Security?
Your business will be demonstrably secure & compliant. You can rest easy knowing your Data Privacy Protection compliance needs are met.
Operating without clear data privacy guidance can be extremely costly. Official penalties have not been released but assuming they will be in line with other government regulations, penalties for noncompliance with the new EU data protection regulation will be stiff.
For instance, GDPR has tiered penalties with the stiffest being 4% of annual revenue for certain infringements and $20M EUR for other types of infringements. There is too much at stake to leave your business so vulnerable.
With that in mind:
We don’t pretend we are the only group of quality data privacy consultants but we do feel it’s crucial for you to be protected. If we are not the right partner for you, we would be happy to help point you in the direction that most clearly aligns with your goals and objectives.
The security of your operations and continuation of your organization is what we care about.