CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
General Data Protection Regulation (GDPR): The Road to Compliance
The European Union’s (EU) General Data Protection Regulation (GDPR), which took effect May 25, 2018, established a set of privacy and security mandates for organizations that store, process, transmit, or use personal data collected from EU residents.
Noncompliance may result in fines, class-action lawsuits, loss of customer trust, and a damaged reputation. Depending on the severity of the violation, fines may be as high as 20 million euros or 4% of the previous year’s global revenue. Organizations are also required to demonstrate continuous GDPR compliance and ongoing monitoring of their respective environments.
Companies should focus on several key areas as they establish and mature practices related to GDPR compliance and implement associated controls. These areas include:
- Documentation of how the company processes personal data ─ what data is being processed and why ─ as well as who else besides your organization processes the data (e.g., third-party vendors)
- A review and update of IT security, data privacy policies, and incident response plans
- A determination if the company needs to employ or outsource a Data Protection Officer (DPO)
- Employee education and awareness training on security and data privacy
- Protocol for responding to requests from EU residents, such as those who want their personal data removed from the company’s systems
- Data inventory and mapping of the information tracked when a customer interacts with the company’s website
- A notice on the website that gives customers the option to consent to receive any marketing information or tools (e.g., cookies)
It can be challenging for organizations to understand the nuances as to whether they are required to be compliant and how to operationalize their privacy programs.
Our proven approach to helping organizations move toward GDPR compliance was developed by our Cybersecurity, Technology Risk, and Privacy leadership team based on their experience performing similar engagements to support our global clients and the international privacy requirements of various regions and countries. Our methodology is designed to help companies navigate the complexities surrounding GDPR compliance and to holistically assess their business processes and technology using a combination of technical methods and other techniques, to provide practical and feasible recommendations to help them comply.
Based on our extensive experience and deep knowledge of the regulations, our step-by-step process helps ensure that gaps against the GDPR requirements are identified and prioritized, enabling companies to progress toward their compliance goals.
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Related Insights
-
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
-
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
-
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
-
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.