GDPR: A Practical Guide for U.S.-Based Organizations...What You Need to Know About GDPR The European Union (EU) Protection is aggressive about protecting consumer privacy and has been

GDPR:A Practical Guide for

U.S.-Based Organizations

GDPR: A PRACTICAL GUIDE | 2

Roadmap to Understanding & Complying with Data Protection Requirements

What You Need to Know About GDPR

The European Union (EU) Protection is aggressive about protecting consumer privacy and has been for a long time. The General Data Regulation (GDPR), which was adopted in April 2016 and became enforceable on May 25, 2018, supersedes Data Protection Directive 95/46/EC. This new regulation “harmonizes,” or brings into conformity with each other, the data protection laws of the 28 EU member states.

The GDPR empowers EU consumers with certain rights to help safeguard the privacy and protection of personal data. It hands back control of personal data—ranging from name, web browsing history, gene sequences, and real-time location—to the consumer. The regulation provides EU consumers with the power to control, monitor, check and, if desired, delete any information pertaining to them that they deem necessary.

The GDPR is here to stay and the world is quickly catching up. This regulation has rapidly reshaped the way organizations around the globe approach data privacy and has spread far past EU borders.

GDPR compliance is a journey, rather a destination, towards a secure data management lifecycle. The hardest part of any journey is taking the first step. In this guide, we have broken down this complex regulation to identify common road blocks and offer practical solutions to steer you in the right direction.

Data subject: A natural person whose personal data is processed by a data processor or data controller.

Data controllers: Organizations that collect and hold consumer data.

Data processors: Third parties that process consumer data for a data controller.

Data Protection Officer (DPO): A position that oversees data security and GDPR compliance.

Supervisory Authority (SA): A body established by each EU member state to hear and investigate complaints, sanction administrative offenses, and conduct other important activities.

IMPORTANT TERMS

A misconception amongst U.S.-based organizations is that the GDPR does not apply to them. However if your organization falls into any of the following categories, the GDPR does in fact apply:

Who Must Comply?

Who Must Comply? Use Cases

Organizations of all sizes, industries, and services are included. No one is exempt. The GDPR imposes new rules on for-profit businesses, nonprofits, government agencies, and other organizations that offer goods and services to people in the EU or that collect and analyze data tied to EU citizens or EU residents. For example, if your organization has a database with EU citizens’ private data or if data is collected from customers in the EU, the GDPR applies to your organization—no matter where it is located.

Knowing whether compliance is required for your organization can be as straightforward or confusing as the regulatory language itself. For example, are EU users who land on a U.S. website automatically protected by the GDPR? In this case, it would depend whether the organization has targeted that EU user or not. Generic marketing is not under the purview of the GDPR, however, while targeted marketing of EU citizens or consumers is.

Below are some additional use cases to consider for noting when the GDPR may or may not apply:

If a Spanish user searches online and finds a website written in English for U.S. consumers or B2B customers, then the website would not be considered targeted marketing and the GDPR will not apply.

If a German user finds a website in German with references to EU users and customers, then the website would be considered targeted marketing and the GDPR will apply.


Business-to-Business (B2B) company or

nonprofit organization that serves EU clients.

U.S.-based organization that serves consumers

worldwide.

U.S.-based organization with offices in the EU.

If a U.S. website accepts Euros or can be reached by a .nl suffix from the Netherlands, then the website would be considered targeted marketing and the GDPR will apply.

What are the rules on data collection? All marketing, advertising, or sales that involves EU citizens’ personal data falls under the GDPR, regardless of where that information was originally collected. The GDPR will also apply if personal data is collected from non-EU citizens while in the EU.

Who are likely U.S. candidates to fall under the GDPR’s territorial scope? U.S.-based hospitality, travel, software, and e-commerce companies particularly need to take a closer look at their online marketing practices. Additionally, any U.S. organization that has identified a market in an EU country and has published localized web content needs to review their web operations.

For those that already follow existing data security standards (e.g. PCI DSS, ISO 27001, NIST), these new regulations should not be a burden. U.S. companies, especially those with a strong web presence, should be paying attention and changing practices as soon and as quickly as possible.

If a U.S. website uses cookies and collects tracking data from a European data subject, the GDPR will apply.

If an EU citizen has his conference badge scanned at a trade show exhibit booth in Melbourne and his data is then uploaded into a CRM in Atlanta, the GDPR will apply all the way to Atlanta.

If a non-EU citizen has his conference badge scanned at a trade show exhibit booth in Paris by a company physically residing in the EU, the GDPR will apply.

If an Italian user signs up for a service or buys something from a D.C.-based website, then the GDPR will apply.

If a Chicago-based software company targets France in a marketing campaign and asks users to provide their email address to download a whitepaper, then the GDPR will apply.


What Counts As Personal Data?

How Must Data Be Protected?

The GDPR’s main personal data elements include:

Data Protection Principles

Personal data must be processed according to the six data protection principles:

Basic identity data (e.g. name, address, email address, ID numbers, photos)

Ethnic or racial orientation

Web data (e.g. location, online behavior such as cookies, IP address)

Religious and political opinions

Health information and sexual orientation

Biometric data (e.g. gene sequences, facial recognition, fingerprints, retinal scans)


Processed lawfully, fairly,

and transparently

Collected only for specific

legitimate purposes

Adequate, relevant, and

limited to what is necessary

1

2

3

Must be accurate and

kept up-to-date

Stored only as long as

is necessary

Ensure appropriate security,

integrity, and confidentiality

4

5

6

Data Subject’s Rights

Right to data accessEU citizens have the right to request and receive detailed information on what

data your organization possesses on them and how it is utilized.

Breach reporting or notificationEU citizens must be notified within 72 hours of a data breach that might

compromise their privacy.

Right to be forgotten or deletionEU citizens can demand the deletion of all personal information (called “data

erasure”) and can revoke consents previously given.

Data portability EU citizens have the right to ask that your organization transmit their data to

another party, making it easier for them to switch to a competing service or

product provider.


What Does It Mean To Be Compliant?Key GDPR Requirements

REQUIRING THE CONSENT OF DATA SUBJECTS FOR DATA PROCESSING

GDPR only allows organizations to process data with the explicit consent of the data subject(s) whose data they process. Additionally, organizations can store and process personal data for “no longer than is necessary for the purposes for which the personal data are processed.”

For example, a D.C.-based organization subject to the GDPR will need to obtain explicit permission for how it will use personal data such as in the use of e-mail promotions or sharing with third-party affiliates. To get pretty detailed, this means a checkbox without a default “x” in it —accompanied by clear language describing what will be done with these email addresses. It is also not permitted to ask the user to click on a link to a long Terms & Conditions webpage filled with legalese.

ANONYMIZATION/PSEUDONYMIZATION OF COLLECTED DATA TO PROTECT PRIVACY

These techniques are supported by the GDPR as a means to further protect data subjects information via applicable technology. As referenced in the callout box on the following page, these storage techniques make it difficult for external parties to identify the personal information of a data subject, especially in the case of a breach. Given the purpose of these tools is to protect a user’s identity, identifiers of all nature should be subject to these techniques, including but not limited to:

• Family names• First names• Addresses• Postal codes• Telephone numbers • Country issued ID numbers (e.g. U.S. Social Security Numbers)


PROVIDING DATA BREACH NOTIFICATIONS

There is now a legal obligation to notify appropriate parties or the SA in the case of a breach within no more than 72 hours. Obligations may be modified if appropriate controls are implemented to protect user data such as encryption.

APPOINT A DPO, IF APPLICABLE

A DPO is required for data controllers and data processors if an organization’s core processing involves large amounts of personal data or requires “regular and systematic monitoring of data subjects on a large scale”. Exceptions may apply due to organization size but must be approved by an SA.

To comply with the requirement, the GDPR promotes encryption, anonymization, and pseudonymization.

Encryption has long been a standard tool for protecting data, supporting security through encoding messages in a way that only intended recipients have access.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user.

Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user an identifier for name and a different one for location that can only be tied back to the user if it is put together with their date of birth, which is kept separately.

The GDPR promotes pseudonymization over anonymization.

ENCRYPTION VS. ANONYMIZATION VS. PSEUDONYMIZATION


SAFELY HANDLING THE TRANSFER OF DATA ACROSS BORDERS

The transferring of data outside of the EU is prohibited unless one or more of the following circumstances are met:

• The EU Commission has approved an outside country.• U.S. organizations has self-certified under Privacy Shield (an existing

agreement between EU and US permitting the transfer of personal data).

• A multinational organization has Standard Contractual Clauses or Binding Corporate rules in place, which are EU approved.

The GDPR is a comprehensive law backed by unprecedentedly steep fines that could possibly cripple an organization that breaches its guidance enforced by the SA of each EU member state. Fines are calculated as follows:

The Greater of €10 Million or 2% of Global Annual Revenue

If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications, and certifications, then the fine may be up to an amount that is the greater of €10 million or 2% of global annual revenue from the prior year.

Lastly, although it is still unclear how the GDPR will be enforced in the U.S., one can assume with unprecedented fines being levied in the EU that similar enforcement is on its way.

The Greater of €20 Million or 4% of Global Annual Revenue

In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the greater of €20 million or 4% of global annual revenue in the prior year. Examples that fall under this category are non-adherence to the GDPR core principles of processing personal data, ignoring the rights of data subjects, and the transfer of personal data to third parties that do not ensure an adequate level of data protection.

What Are The Repercussions of Non-Compliance?


When considering the possible consequences of non-compliance, organizations subject to the GDPR must act immediately. Just as you cannot climb a mountain in a day, however, you cannot revise your organization’s internal practices before COB. The path to GDPR compliance involves cross-functional efforts across any organization as charted out in the following steps.

This is a daunting task for any organization but a necessary one for those that are not, and especially those that are, subject to the GDPR.

First decide what type of organization yours want to be. Are you legally driven and just want to be legally compliant? Are you risk driven and is risk reduction your ultimate goal? Are you ethically driven and want to be seen as an organization that does the right thing?

This is a crucial decision for any organization and will drive future decisions regarding data protection. No matter which direction is taken, GDPR requirements need to be considered.

Now ascertain what the current state of your organization is. Before moving forward, there has to be an understanding of what compliance controls are in place, if any. A few high-level areas of concern include:

Roadmap to Compliance

Build a Data Protection Program


The level of awareness that currently exists

throughout the organization about data protection compliance.

What data is processed, how is it processed,

where is it collected from, and why is it collected.

The policies, procedures, and training currently in place around data

protection and what state they are in.

What needs to be done when a Data Subject Access Right

request is received, and how to know it has been

fulfilled according to GDPR standards.

Is the organization aware of how to respond in the event of a security

breach impacting data subjects? Are key personnel aware of required GDPR actions (e.g. notification within 72 hours

of discovery), and have they been communicated and practiced?

Once your current and aspirational future states are understood, it is time to start filling in the gaps. Executing a gap analysis (comparing GDPR requirements against current controls and standards) will identify where remedial actions are required to meet legal obligations. Additionally, these tasks should be prioritized based on the level of risk in which they expose the organization.

After a data protection program is up and running, it is important to review the program to make sure it is up-to-date with current laws and regulations, among other considerations. If changes need to be made, have a plan built in on how they will be made. This may include performing dry runs of preparing DSAR requests, as well as testing your Incident Response Plan in the case a data breach is ever identified. Lastly, consider how success will be measured, whether it be by recording metrics, consumer complaints, internal test results, or other factors.

Creating a data map for your entire organization is a crucial step in becoming GDPR compliant. Mapping the flow of data will elucidate how it is processed and identify uses—both intended and unintended—more effectively.

In the process of mapping the flow of data, it also needs to be classified by type, so that data subjects and their flow of data can be easily identified. As a starting point a typical data map should identify the following at a minimum:

Create a Data Map & Classify All Personal Data

Where high risk processing activities may be involved, Data Protection Impact Assessments (DPIAs) are formal reviews that encompass the data map factors listed above, but go into deeper analysis related to the likelihood and severity of risks related to that data. These assessments are particularly applicable when beginning new projects involving the collection of data subject data. At this time, there is oftentimes an active exchange of user data with other organizations and introduction of new IT systems which could store or access data subject data. Although these tasks may seem daunting, there is a wealth of resources to help provide guidance, as well as service organizations with the applicable subject matter expertise to help organizations begin their first steps towards GDPR compliance.

Data items (e.g. personal data, transactional data)

Formats (e.g. hard copy forms, database entries)

Transfer methods (e.g. internal, external)

Locations (e.g. internal databases, the Cloud, third parties)

Individuals (who has access to which types of data and who is ultimately accountable)


Most organizations likely already have various types of security controls in place. Security controls specific to the protection of GDPR applicable data are important to achieve long term compliance with the GDPR and ultimately put your organization in a position to avoid GDPR non-compliance.

As a starting point, you should be able to answer the following questions related to high-level security controls.

Change management

• How are changes to information systems or databases that handle personal data tracked and managed?

• When modifying the enterprise environment or configuration settings for a single application, are potential security impacts to customer data assessed?

Access controls

• Who can access the data logically and physically? • Is all access approved? • Is privileged access required to move or modify personal data?

Auditing and logging

• Can your organization track who has modified or moved customer data at any given point in time?

• Is an automated alert sent if there were unintended or unauthorized modifications or removal of customer data?

Implement Security Controls


Policies and procedures are important for any business or IT process within an organization, and they should be easily accessible to all parties (including external) that are responsible for handling personal data subject to the GDPR. Policy and procedure enforcement and knowledge starts from the top-down within every organization, so it is also important to make it known to employees the importance of following them to the T and provide training to employees if needed so they can execute them appropriately.

In particular for the GDPR, privacy policies must be closely examined to ensure adherence to GDPR standards. Organizations subject to the GDPR must take into account appropriate notifications to users about the potential collection, use, and rights surrounding data they submit to your organization.

Develop Policies & Procedures


While your organization may have these control families addressed, it is important to ensure the controls provide coverage over GDPR subject data as well.

This is not a GDPR requirement for all organizations, such as small private organizations. Designating a DPO provides a significant competitive advantage in becoming compliant and is a necessity if the following criteria are met:

Identify a Data Protection Officer (DPO)

There are a variety of tools that have been created for the sole purpose of strengthening personal data privacy and assisting with GDPR compliance. As an organization, key stakeholders and management will need to identify the tools that best suit their needs, fit into their current IT environment, and complement the security or monitoring tools that might already be in place. Currently tools exist to assist with data mapping and identifying GDPR personal information within your environment, monitor the usage and who accesses certain types of flagged data, and provide GDPR gap analysis assistance to name a few.

Implement Tools that Will Strengthen Privacy Controls

Your organization is a public authority—regardless of size or what data you

control or process.

Your organization’s core activity involves monitoring individuals systematically on a large scale.

Your organization processes “special categories of personal data” on a large scale. This refers to sensitive personal data, which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic, biometric data for the unique identification of a natural person, health data, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offenses.

System security

• What steps are taken to proactively identify threats to the environment and customer data?

• Are appropriate data security (e.g. encryption) steps taken?• Is user activity monitored at appropriate levels?

Data backups and restoration

• Is customer data backed up appropriately?• Is customer data secured appropriately ?

What Are The Chances Of This Actually Affecting Me?As we are all well aware, cybersecurity and user data privacy are concerns that are here to stay. U.S.-based organizations may think they have dodged a bullet for now, but trends are moving in the direction of requiring these GDPR considerations for all over the world.

The California Consumer Privacy Act (CCPA) may be the most relevant piece of legislation to support this, which will go into effect January 1, 2020. As with the GDPR, there will be key requirements to address related to data collection and user privacy. Key overlaps include:

• Training• Notice and consent• Rights to object and rectify• Encryption or redaction of personal information

Even if your organization is not currently subject to GDPR requirements, getting a head start by beginning to understand and review GDPR requirements will put many at an advantage in terms of preparation and implemented processes when the day comes that the U.S. implements its own version of the GDPR.


Educating users within your organization of their possible new responsibilities to maintain GDPR compliance is a crucial last step. An organization can spend limitless resources addressing each step listed above, but if their users do not understand their roles, how to properly execute new processes, or how to effectively use newly implemented tools for example, then your organization is still at high risk of non-compliance.

It is of utmost importance to educate your users on GDPR requirements. Providing users with ongoing security awareness training on an annual basis or more frequently will pay dividends down the line as security best practices and risk awareness become engrained in your culture. Key considerations to include in training and communications to your personnel include dealing with personal information include data handing basics, key GDPR requirements that must be adhered to (e.g. 40 days to satisfy a DSAR), how to respond in the event of an incident, and documentation of who to contact with questions or concerns related to GDPR compliance.

Provide Training to Users Who Have Access to Personal Information

How We Can HelpAs outlined in this document, the effort required to become GDPR compliant is significant.

Evaluating your control environment and existing gaps can be an intimidating task, especially if you need to undertake with appropriate and feasible remediation actions. Aronson’s Risk Advisory team has decades of experience in dealing with control evaluations, gap analyses, and remediation actions across multiple security frameworks (e.g. NIST, ISO, COBIT, ITIL). We offer a wide range of services designed to assist you in achieving your compliance needs.

Let us help get you started on the journey to GDPR compliance.

For more information or to discuss a GDPR consultation, contactPAYAL VADHANI, Lead Partner of Aronson’s Risk Advisory practice,at [email protected] or 301.231.6259.

About Aronson LLC Aronson LLC provides a comprehensive platform of assurance, tax, and consulting solutions to today’s most active industry sectors and successful individuals. For more than 55 years, we have purposefully expanded our service offerings and deepened our industry specialties to better serve the needs of our clients, people, and community. From startup to exit, we help our clients maximize opportunity, minimize risk, and unlock their full potential. For more information about Aronson LLC, please visit www.aronsonllc.com or call 301.231.6200.


Documents

GDPR: A Practical Guide for U.S.-Based Organizations...What You Need to Know About GDPR The European Union (EU) Protection is aggressive about protecting consumer privacy and has been