The General Data Protection Regulation (GDPR)

The GDPR Overview

This Regulation lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. This Regulation applies to

  • the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

  • the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union (EU), regardless of whether the processing takes place in the Union or not.

  • the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:

    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

    • the monitoring of their behavior as far as their behavior takes place within the EU.

The GDPR is considered an extraterritorial regulation and is inclusive of data stored offshore from the EU.  Potential fines for violation are up to four percent of organization’s worldwide gross sales based upon last year’s financial statements, with a limit of €20 million. Read our blog for helpful tips on achieving compliance

Data Subject Rights: The GDPR secures a broad range of specific rights for data subject which include:   

  • Right of access

  • Right of rectification

  • Right of erasure (right to be forgotten)

  • Right to restriction of processing

  • Right to notification regarding rectification, erasure, or restriction of processing of personal data

  • Right to data portability

  • Right to object

  • Right not to be subject to a decision based solely on automated processing, including profiling

  • Right to lodge a complaint with a supervisory authority

  • Right to an effective judicial remedy against a supervisory authority

  • Right to an effective judicial remedy against a controller or processor

  • Right to compensation for the damage suffered

The Regulation consists of 11 chapters containing 99 articles. A high level structure of the regulation is shown in the table below:

Our Related Services

Our team of experienced consultants can help your organization in the following areas:

  • Establishing a compliance management solution for ongoing monitoring, maintenance, and maturation of your compliance efforts for GDPR

  • Performing gap analysis between current state of your technical and organization measures and the target GDPR requirements

  • Developing or enhancing requisite security policies and procedures

  • Performing self-assessment or third party attestation for the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance

  • Performing a third party attestation (CCM-SOC2) for the CSA STAR Registry listing

Give us a call at 954-362-7113 or schedule an appointment for a free consultation to get started.

More about other frameworks and standards
NIST SP800-53
NIST Cybersecurity Framework (CSF)
CSA Cloud Controls Matrix (CCM)
ISO/IEC 27001/27002
Payment Cards Industry Data Security Standard (PCI DSS)
Cybersecurity Maturity Model Certification (CMMC) 2.0 Framework
SWIFT Customer Security Controls Framework