We help your business achieve compliance through our GDPR Compliance and Assessment Services.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Does it apply to my business?
GDPR applies to any organization or company that processes and/or stores personal data of citizens of the European Union.
For organizations that collect or store data on EU citizens, key provisions of the law include:
- Data Protection Officers: certain organizations must designate a DPO who will be responsible for the monitoring and protection of personal data
- Consent: Data subjects must consent to the use of thier data, and
- Right to Object: they have the right to object to processing, marketing or profiling
- Right to Erasure: your organization must be capable of erasing personal data without delay, and have explicit means to handle requests to erase data
There is no easy, standard solution. It’s up to the organization to determine adequate security measures, and be able to justify decisions.
What are the penalties for non-compliance?
1) If your organization or business is found to be in violation of customer consent or violating the core of “Privacy by Design” concepts, the fine can be as high as 4% of GLOBAL annual revenue.
2) A company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
GDPR applies to both controllers and processors; cloud storage or processing is not exempt from GDPR enforcement.
What’s the difference between controllers and processors?
From Article 4 of the regulation:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
How long does it take to become compliant?
This varies depending on where and how your data is currently processed and stored. Security maturity, including existing measures for managing sensitive data, executive level support, and risk management also play a role. No two businesses are ever alike.
What can Sera-Brynn do to help?
Compliance with GDPR will be an enormous hurdle for many companies, and the May 2018 deadline has already passed. Many organizations and companies are struggling to understand and meet compliance before something happens to trigger legal action. Our certified audit and advisory teams focus on action items that move the needle and manage the risk to your organization, and using a third-party auditor is a smart way to transfer risk. We recommend four phases to complying with GDPR:
Phase 1 – Scoping: Assess your compliance readiness, understand gaps, and develop a plan to not only comply with GDPR, but to measurably improve security overall. This includes data inventory and mapping to understand where data is stored, processed and transmitted.
Phase 2 – Privacy Programming: Implement a program to manage data flows, develop policies, deliver training, and if necessary adjust business processes.
Phase 3 – Incident Response and Breach Notification: There is a 72-hour notification window in the event of a breach involving personal data under GDPR. Understanding requirements for notification and forensic preservation is key.
Phase 4 – Detect and Defend: Get the necessary technology tools. We help you find the most effective solutions to address gaps identified in the three previous phases. Our goal is to help you achieve compliance, not to sell products.
Contact us today if you need help with GDPR compliance through the form below, at firstname.lastname@example.org or give us a call at 757-243-1257.