General Data Protection Regulation (GDPR): Are You on the Road to Compliance?

• Data processing principles (Article 5)
• Legal basis for collecting sensitive data (Article 9)
• Controller’s responsibilities (Article 24)
• Processor’s responsibilities (Article 28)
• Cooperation with Supervisory Authority (Article 31)
• Data breach notification (Articles 33-34)
• Designate/support Data Protection Officer (DPO) (Articles 37-39)
• Sanctions and penalties (Articles 79-84)
• Legal basis for processing (Articles 6-8)
• Data subject (EU resident) rights (Articles 12-22)
• Privacy by design and default (Article 25)
• Record keeping (Article 30)
• Security safeguards (Article 32)
• Data Protection Impact Assessment (Article 35)
• Data transfers outside of European Economic Area (EEA) (Articles 44-49)
• Employment laws (Article 88)

Key FOCUS AREAS

For organizations that have not started or are not yet fully GDPR compliant, take note of the key areas that should be in place or in process to show you are acting in good faith:

• Documentation of how your company processes personal data─ why it is being processed, who else besides your organization processes the data and what data is being processed;
• A review and update of IT security, data privacy policies and incident response plan;
• A determination if you need to employ or outsource a Data Protection Officer (DPO);
• Employee education and awareness training on security and data privacy;
• Protocol for responding to requests from EU residents such as those who want their personal data to be removed from your company’s systems;
• Data inventory and mapping of the information tracked when a customer goes to your website; and
• A notice on your website that gives customers the option to provide consent to receive any marketing information or tools (e.g. cookies).

Advantages with CohnReznick

Our proven approach to helping organizations become GDPR compliant was developed by our cybersecurity and technology risk leadership team based on experience performing similar privacy engagements to support our global clients and the international privacy requirements of the various regions and countries. Our methodology is designed to holistically assess your organization’s business processes and technology by using a combination of technical methods and other techniques, to provide practical and feasible recommendations with a focus on the organization’s ability to comply with the GDPR requirements.

Our step by step process ensures that all gaps against the GDPR requirements are identified and prioritized. We have years of experiences developing accelerated roadmaps to support our client’s efforts to become GDPR compliant.

About CohnReznick’s Technology Risk and Cybersecurity Practice

CohnReznick has been providing cybersecurity and technology risk services for more than 15 years, and our experience in this area has provided us with a strong foundation to help organizations balance a wide array of technology and cybersecurity-related risks to help protect their brands and assets.

Our technology risk and cybersecurity practice comprises experts in the assessment of strategic cybersecurity risk, evaluation, design, and remediation of IT security strategy and controls. The experience of the group is extensive, having delivered these services on numerous engagements. We utilize a methodology that is focused on identifying impactful risks and making solid recommendations to improve an organization’s IT security posture and control. Our automation and technology tools are leading edge, which enables us to maintain a highly effective work plan.

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.