GDPR Compliance Services | Security Experts Who Can Help
The General Data Protection Regulation (GDPR), enacted on May 25, 2018, can be confusing and is becoming an increasingly fraught issue for U.S. companies. Touchstone Security offers a full suite of GDPR Compliance Services. To comply to GDPR, many U.S. companies have relied on the EU/U.S. Privacy Shield (a self-certifying mechanism administered by the U.S. Department of Commerce). However, on July 16, 2020 the EU Court of Justice (CJEU) struck down the Privacy Shield, putting many companies at risk.
There are three key aspects of the GDPR that companies must be aware of. First, if a company offers a product or service in the EU, regardless of whether the company has nexus in the EU, the company must comply. Second, Recital 14 states “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. This vague application to “natural persons” and their “place of residence” means it does not matter where or who a person is – if the transaction occurs in the EU over the internet or otherwise, it is covered. Thirdly, Controllers and Processors established in the EU must comply to the GDPR, even if the processing of data takes place outside the EU.
Touchstone was amazing to work with! We had some issues with our systems and integration of new programs. We felt that the security of our systems was not up to the best standards. The CEO, Richard Shinnick, personally came over and evaluated our systems. He was able to pinpoint the holes in our systems immediately and fix any potential issues before they ever happened. One of the best IT Firms I have ever worked with. Thank you Touchstone!
Rich and his team are remarkable. While at Columbia University Teachers College, they helped us plan/implement several large scale projects including ubiquitous wireless deployment and a firewall implementation. Rich has an extensive IT background and is an all around great guy to work with. I recommended that we bring his team in at St. John’s as well. They were able to come in, assess the situation, and provide the same fantastic results. I highly recommend Rich and his team.
Rich brings solid IT security experience along with immense integrity in the work he has performed for IntegraMed. All of his projects were completed on time and within budget. His track record of delivering reliable concept to reality projects under the pressures of a high availability and heavily compliant environments precedes him. I endorse Rich personally and professionally and look forward to working with him again on future projects.
Rich is deeply technical and very thorough, but most of all he is a very honest person. He can make any technical jargon simply to understand in layman terms and help you understand what he is proposing so all know the benefits that is being recommended and implemented. I would work with Richard again on any project initiative that I maybe involved in the future.
We needed a security sharpshooter to assist with responding to the stringent requirements of a major academic healthcare system based on a comprehensive audit of our platform. Touchstone expertly facilitated our response and created the missing programs and policies necessary to satisfy our needs.
Touchstone Security specialists completely blew away our most experienced and technically strong managers and some of our best people in infrastructure and security. Richard was in their words “a perfect 10.” He not only addressed the issues we asked him to look at but identified other areas of improvement in our security posture. Our team rated them “a perfect 10”!
GDPR Examples
- If a U.S. citizen is in the EU on holiday and buys a product/service from your website for delivery to the EU, you must be compliant.
- If an Italian citizen, living in New York, orders something from your website from their NY home, and has it delivered to their NY address, GDPR does not apply.
- If a French citizen living in Berlin visits your U.S. website and downloads a free e-book by providing his/her name, email, and telephone number, GDPR applies.
- If a US company sells a product and offers to ship to Europe, GDPR applies.
However, if the processing of a person’s personal data or monitoring of their behavior takes place outside the EU, while said person is physically in the EU, and which results from a specific offer NOT directed at natural persons in the EU, GDPR does not apply.
Confused yet? The GDPR applies to all businesses offering a product/service to EU residents, and/or if the business monitors the behavior of persons inside the EU. If you are a U.S. company that has the potential to handle the personal data of anyone physically in the EU, you are likely legally obligated to comply with GDPR. The GDPR’s purpose is to safeguard data subjects’ personal information and rights and mitigate the risk of companies that handle personal information experiencing a data breach. The European Union is ramping up enforcement of GDPR.
Ensuring that your organization is GDPR compliant is not only good practice but is also important to protect yourself from potential fines and penalties. Touchstone is here to help you understand how the GDPR regulation may apply to your business. We can clarify the data protection and accountability principles covered under GDPR and help you design a roadmap to meet compliance and avoid incurring lofty fines.
Understanding the General Data Protection Regulation
Enacted in May of 2018 by the EU, the GDPR is considered the most stringent privacy protection and security law in the world. Although the EU enacted the regulation, it applies to any organization, regardless of location, that handles the personal data of anyone visiting or living in the EU.
Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Under this definition in the GDPR, “any information” encompasses a range of personal data.
There are six data protection principles outlined in the GDPR related to how personal data should be processed (summarized below from Article 5 of the GDPR. See the full text for a complete description of each item):
1. Personal data must be processed lawfully, fairly, and in a transparent manner.
2. The reasons for collecting the data must be specified, explicit, and legitimate.
3. Organizations must focus on “data minimization” — data collection must be limited to what is necessary.
4. Data must be kept accurate and up to date.
5. Data must only be stored for as long as necessary for a specified purpose.
6. Data processing must be done in a manner that ensures appropriate security of the personal data.
In the last point, appropriate security extends to many security measures for personal data. These include protecting against unauthorized or unlawful processing of the data, accidental loss, and destruction or damage. Data protection and cybersecurity measures such as encryption can be enacted to safeguard personal data against threats such as data breaches. Touchstone’s GDPR Compliance Service can help you identify areas for improvement where you can implement security measures in alignment with GDPR’s complex requirements.
Disclosure: in no way is this document to be considered legal advice, as this is our best attempt at interpreting the GDPR. Always seek legal counsel when in doubt
Touchstone GDPR Compliance Services
The Touchstone GDPR Compliance Service is designed to help you navigate this vast and daunting regulation — and understand how it may apply to your business. The entire GDPR regulation is nearly 100 pages long and covers a wide range of data security measures, incident response, and principles for the handling of personal information. If you are unsure whether you meet GDPR compliance, we highly recommend consulting with qualified experts to assess your compliance requirements. Fines for non-compliance range from up to 10 million euros for less severe violations to 20 million euros for severe violations. In 2020 alone, the E.U. has fined hundreds of companies for non-compliance. Even several large U.S.-based companies — such as Google, Verizon, and Marriott — have incurred fines.
Our information security experts can help you identify areas where you may be non-compliant and develop a set of security controls to help meet regulatory compliance. We conduct a thorough assessment of your data processing activities, your security program, and your company’s risk management. If there are areas where your data security can be optimized to meet compliance, we help you figure out how to do that. We can perform a comprehensive privacy impact assessment and outline a strategy to enact security measures that align with GDPR requirements.
Non-compliance can be costly, and GDPR requirements can be complicated. Touchstone is here to help your business navigate the compliance requirements. Contact us today to find out how we can help you understand and meet GDPR compliance.