The E.U.’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and it is going to have a bigger impact on U.S. organizations than you might think. Penalties for violations are steep, so you will want to be prepared.

But, many organizations do not know if the GDPR applies to them and, even worse, are unsure how to find out.

Does the GDPR apply to my company?

Here are four questions you should ask to determine if the GDPR applies to your company.

1. Is my organization established in the E.U.?

If your organization is physically operating anywhere in the E.U., then yes, the GDPR does apply to you, and you must abide by its requirements. Some organizations may have a “shell” within the E.U. but not truly be offering services there. These circumstances vary and should be discussed with a privacy professional to determine applicability of the GDPR to your organization.

2. Is my organization a controller or processor under GDPR (or both)?

Article 4 of the E.U. GDPR identifies the different roles and responsibilities of controllers and processors for organizations who harbor personal data.

  • Controller refers to“the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor refers to “means a natural or legal person, public authority, agency, or another body which processes personal data on behalf of the controller.

As it can sometimes be difficult for organizations to determine which of these roles (if not both) best describes them, an information security partner can be helpful in making a clear distinction. Organizations must know their role(s) to comply with their specific GDPR responsibilities.

3. Does my organization offer services to people who live in the E.U.?

This is where things get a little tricky. The GDPR differentiates between “offering” and “selling.” Not sure about the difference between those two? Here is what you should know:

  • “Offering” means specifically targeting customers in the E.U.
  • “Selling” means you are not targeting E.U. residents, but, if an E.U. resident wants to purchase your product or service, you will still sell to them.

If you are offering to E.U. residents, you are responsible for adhering to the GDPR. However, if you are simply selling to E.U. residents, the GDPR may not be applicable to your organization.

If you are selling to E.U. residents, the applicability of GDPR to your organization depends on how much business you are doing there. If E.U. residents are a very small percentage of your revenue, you are more likely to fall out of the GDPR’s scope. However, if a significant part of your company’s revenue comes from E.U. residents, you are more likely to fall under the GDPR’s scope.

You may not feel you are offering or selling services to E.U. citizens. Some organizations are simply ingesting lots of data for analytical, technical, research, or other reasons. If this data contains information from E.U. citizens, GDPR may apply to you. GDPR would also likely apply to you if you are processing information for an E.U. company.

4. Are you monitoring activity or behavior within the E.U.?

For example, if your company provides an app that includes any level of monitoring, and you have users residing or even visiting the E.U., you are in scope of the GDPR. Even if an app is only available in the U.S., but you track them while they are in the E.U., you likely need to comply with the GDPR.

If the GDPR does apply to you, here is what you should do:

  • Map out the entire data flow of your organization, and take inventory. Classify all data according to type, if you have not already. You will need to locate all network locations storing or transmitting in-scope (personal) data.
  • Once you have determined where this data resides, it is time to implement policies, procedures, technical measures, and processes to allow your organization to comply with any of the in-scope actions of the GDPR.

While the GDPR presents new challenges for organizations storing or processing personal data, compliance is possible, especially with the right guidance. We can analyze and classify your organization’s data to determine GDPR applicability. Whether the GDPR applies to your organization or not, after working with us, you will know for certain. If you are in-scope, we will help you navigate the GDPR’s complexities and implement controls to ensure compliance.

How the GDPR Will Affect U.S. Organizations

The General Data Protection Regulation (GDPR) is the most important change in international data privacy regulation in 20 years and is the latest in a series of European Union (EU) parliamentary measures created to place the highest levels of protection around personal data.

Many U.S. organizations have questions about how GDPR impacts them, especially pertaining to the types of personal data they have, how the GDPR defines personal data, and the new protection laws against that personal data. As the GDPR enforcement date begins May 25, 2018, LBMC wants to make sure your organization is prepared. Here are some GDPR basics that are important for your organization to know.

GDPR Origins

As the EU has a long history of working to protect consumer privacy, they established the GDPR in hopes of being a global leader in these efforts. The guidance that led to the regulation development was tested through two major legal challenges, which eventually resulted in the need for GDPR.

Who’s Affected by the GDPR?

GDPR applies to all companies processing and holding personal data of data subjects residing in the EU, regardless of the company’s location. This impacts many areas of an organization, including legal and compliance, technology, and data. U.S. organizations should take notice and determine the applicability of GDPR to their company. If applicable, U.S. companies need to ensure they are in compliance with the regulation as failure to comply can result in strong penalties.

How LBMC Can Help

LBMC can help answer GDPR questions and offer guidance for determining if your organization is a controller or processor under GDPR (or both), direction on whether you need to assign a Data Privacy Officer, and understanding how GDPR can impact your organization even outside of the European Union. LBMC’s experience in data and information security compliance under various frameworks (ISO, ITIL, COBIT, NIST, HITRUST CSF, etc.) can identify the gaps between GDPR requirements and an organization’s current security posture. LBMC’s GDPR compliance services and methodology includes:

  • Discovery— We work with you to determine the types of data obtained, stored and/or processed, including the following activities:
      • Review existing data classification policy
      • Evaluate existing data labeling processes
      • Develop an inventory of the nature and type of sensitive data in the organization
  • Impact Analysis—In this step, LBMC works to determine the applicability of GDPR to your organization, as well as identifying any potential gaps by finding answers to questions such as these:
      • Do you store, process, or transmit data on EU residents?
      • Is there a legal basis for processing the data?
      • Do you have consent for the data in your control?
      • Where does the in-scope data go when it leaves your organization?
  • Reporting—Once the impact analysis is complete, LBMC will report on GDPR applicability, gaps, and recommendations for the organization

If you’re ready to explore whether your organization will be affected by GDPR and how to maintain compliance, contact the LBMC Cybersecurity team today.