make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

How to Determine GDPR Applicability and Future Enforcement

04/17/2018  |  By: Caryn Woolley, CPA, CISA, PCI, QSA, Director of Quality Assurance and Professional Development

Share

Social Logo Social Logo Social Logo Social Logo

The E.U.’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and it is going to have a bigger impact on U.S. organizations than you might think. Penalties for violations are steep, so you will want to be prepared.

But, many organizations do not know if the GDPR applies to them and, even worse, are unsure how to find out. 

You might be asking, “Does the GDPR apply to my company?” If so, here are four questions you should ask.

1. Is my organization established in the E.U.? If your organization is physically operating anywhere in the E.U., then yes, the GDPR does apply to you, and you must abide by its requirements. Some organizations may have a “shell” within the E.U. but not truly be offering services there. These circumstances vary and should be discussed with a privacy professional to determine applicability of the GDPR to your organization.

2. Is my organization a controller or processor under GDPR (or both)? Article 4 of the E.U. GDPR identifies the different roles and responsibilities of controllers and processors for organizations who harbor personal data.

  • Controller refers to“the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor refers to “means a natural or legal person, public authority, agency, or another body which processes personal data on behalf of the controller.

As it can sometimes be difficult for organizations to determine which of these roles (if not both) best describes them, an information security partner can be helpful in making a clear distinction. Organizations must know their role(s) to comply with their specific GDPR responsibilities.

3. Does my organization offer services to people who live in the E.U.? This is where things get a little tricky. The GDPR differentiates between “offering” and “selling.” Not sure about the difference between those two? Here is what you should know:

  • “Offering” means specifically targeting customers in the E.U.
  • “Selling” means you are not targeting E.U. residents, but, if an E.U. resident wants to purchase your product or service, you will still sell to them.

If you are offering to E.U. residents, you are responsible for adhering to the GDPR. However, if you are simply selling to E.U. residents, the GDPR may not be applicable to your organization.

If you are selling to E.U. residents, the applicability of GDPR to your organization depends on how much business you are doing there. If E.U. residents are a very small percentage of your revenue, you are more likely to fall out of the GDPR’s scope. However, if a significant part of your company’s revenue comes from E.U. residents, you are more likely to fall under the GDPR’s scope.

You may not feel you are offering or selling services to E.U. citizens. Some organizations are simply ingesting lots of data for analytical, technical, research, or other reasons. If this data contains information from E.U. citizens, GDPR may apply to you. GDPR would also likely apply to you if you are processing information for an E.U. company.

4. Are you monitoring activity or behavior within the E.U.? For example, if your company provides an app that includes any level of monitoring, and you have users residing or even visiting the E.U., you are in scope of the GDPR. Even if an app is only available in the U.S., but you track them while they are in the E.U., you likely need to comply with the GDPR.

If the GDPR does apply to you, here is what you should do:

  • Map out the entire data flow of your organization, and take inventory. Classify all data according to type, if you have not already. You will need to locate all network locations storing or transmitting in-scope (personal) data.
  • Once you have determined where this data resides, it is time to implement policies, procedures, technical measures, and processes to allow your organization to comply with any of the in-scope actions of the GDPR.

While the GDPR presents new challenges for organizations storing or processing personal data, compliance is possible, especially with the right guidance. Contact us today, and we will analyze and classify your organization’s data to determine GDPR applicability. Whether the GDPR applies to your organization or not, after working with us, you will know for certain. If you are in-scope, we will help you navigate the GDPR’s complexities and implement controls to ensure compliance.