The General Data Protection Regulation (GDPR) (EU) 2016/679 is a security and privacy regulation affecting any entity that stores or processes private information of European citizens, regardless of the company’s physical location.

Many people ask “how do I know if GDPR affects my organization?”

Let’s map out a couple examples to add clarity.

Example 1: A local US-based college allows students from any country to enroll via an online form. Does GDPR apply?

Yes. The fact that a student from the EU can input private information such as their name, address, phone number, DOB and email address into the a form on the website means GDPR compliance is in play.

Example 2: A non-profit organization in New York connects impoverished children in Europe get connected with the help they need. The non-profit doesn’t store any of the children’s’ data online or in a computer system. All data is taken over the phone and transcribed into paper documents, then filed in a filing cabinet. Does GDPR apply?

Yes. GDPR applies (1) where processing of personal data is conducted by “automated means,” and (2) where processing of personal data is not conducted by automated means, but the data “form[s] part of a filing system or [is] intended to for part of a filing system.” GDPR, Article 2(1). Even though the non-profit’s filing system is paper, it is within the purview of GDPR. With that, there are several sections of GDPR that would be non-applicable, such as the demand for a robust cybersecurity program (you can’t hack paper). In less-than-clear situations like this, it’s best to consult both a cybersecurity firm such as PIRC and your (or our) legal counsel.

The goal of PIRC’s GDPR Article 32 professional services is to help organizations satisfy some of the requirements, as underlined below, within Article 32 of GDPR which states, in part:

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Our services specifically map the underlined text above to the following professional services.

GDPR Article 32 RequirementOur Service
“ensure a level of security appropriate to the risk”
  • Cybersecurity Risk Assessment
“ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”
  • NIST-Based Cybersecurity Maturity Assessment
“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”
  • Incident Response Plan
“regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”
  • Internal and External Combined Penetration Test
  • Vulnerability Assessment

The SANS Institute, a well-respected cybersecurity training organization gives ten formal steps to getting started with GDPR compliance.

  1. Don’t wait. Start now.
  2. Document your review of technology for GDPR compliance and your steps toward achieving compliance.
  3. Institute a constant and ever-improving process of analyzing the risks that apply to the data for which you are responsible.
  4. Adopt a routine for maintaining the considerable documentation expected under the GDPR.
  5. Evaluate and implement technologies identified in this paper not only to achieve compliance with the GDPR’s security expectations, but also to prevent a breach from ever happening.
  6. Stay abreast of and implement authoritative global guidelines on information security.
  7. Recruit, train and appoint a qualified data protection officer.
  8. Monitor efforts at an EU level and in member states to prepare for enforcement of the GDPR.
  9. Establish familiarity with the supervising authority or authorities most relevant to your operations. Become familiar with its staff and procedures.
  10. Monitor technical guidance and, possibly, codes of conduct from relevant EU authorities, such as regulators in member states and EU-wide authorities, such as the Article 29 Working Party, which will become known as the European Data Protection Board.