GDPR logo

Managed GDPR Compliance

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

 

Why US companies must comply with the GDPR

The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.

What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website.

Data protection principles

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Data Accuracy— You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability— The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
GDPR Compliance framework

GDPR compliance checklist for US companies

  • Conduct an information audit for EU personal data Confirm that your organization needs to comply with the GDPR. First, determine what personal data you process and whether any of it belongs to people in the EU. If you do process such data, determine whether “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” Recital 23 can help you clarify whether your activities qualify as subject to the GDPR. If you are subject to the GDPR, continue to the next steps.
  • Inform your customers why you’re processing their data Consent is only one of the legal bases that can justify your use of other people’s personal data. You can find the other “lawfulness of processing” justifications in GDPR Article 6. If you choose to process data on the basis of consent, however, there are extra duties involved. Finally, Article 12 requires you to provide clear and transparent information about your activities to your data subjects. This likely will mean updating your privacy policy.
  • Assess your data processing activities and improve protection A data protection impact assessment will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks. Next, begin implementing data security practices, such as using end-to-end encryption and organizational safeguards, to limit your exposure to data breaches. When beginning new projects, you must follow the principle of “data protection by design and by default.”
  • Make sure you have a data processing agreement with your vendors You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data. Inform your customers why you’re processing their data
  • Appoint a data protection officer (if necessary) Many organizations (especially larger ones) are required to designate a data protection officer. The GDPR specifies some of the qualifications, duties and characteristics of this management-level position.
  • Designate a representative in the European Union Article 27 specifies which non-EU organizations are required to appoint a representative based in one of the EU member states. Recital 80 providers further details about this role.
  • Know what to do if there is a data breach Articles 33 and 34 lay out your duties in the event personal data is exposed, whether through a hack or any other kind of data breach. The use of strong encryption can mitigate your exposure to fines and reduce your notification obligations if there’s a data breach.
  • Comply with cross-border transfer laws (if applicable) As with previous EU regulations on the transfer of personal data to non-EU countries, GDPR Article 45 retains tough requirements for organizations wishing to do so. You may be required to self-certify under the Privacy Shield Framework.

Why You Should Partner With JK Consulting:

As a Managed Service Provider (MSP) JK Consulting has the experts and necessary tools in place to assist you in obtaining and maintaining NIST Compliance.

Our managed compliance solution can help your business achieve and maintain its data security requirements, help streamline the ongoing compliance processes, and stay up to date with the complex and evolving data protection laws and regulations worldwide.

JK Managed NIST Compliance benefits;

  • Network Security
  • Backup and Disaster Recovery
  • Data Encryption
  • Secure Passwords
  • Multifactor Authentication
  • Limited Administrator Access
JK Consulting logo