cyber security

Is Your Business Ready for the GDPR Deadline?

By John Monahon, Partner at Trusted Counsel

By John Monahon, Partner at Trusted Counsel

EU General Data Protection Regulation takes effect May 25, 2018

If you are a U.S. business providing goods or services to individuals and businesses in the EU, it is time to undergo a thorough review of your data processing procedures.

The goal of The EU General Data Protection Regulation (“GDPR”) is to allow individuals to have greater control on how their personal information is processed by organizations.  And although GDPR is an EU regulation, many U.S. businesses are discovering that they may have certain obligations under the regulation.  

Below are questions you should be asking.

What is GDPR?

  • GDPR is a data protection and privacy regulation in EU law pertaining to processing an individual’s personal data.

What is personal data?

  • Any information related to an identifiable natural person who can be directly or indirectly identified in particular, by reference to an “identifier” (such as a name, an identification number, location data, or an online identifier).

my business is in the U.S., do I have to comply?

  • GDPR applies to organizations that are established in the EU.  However, it also applies to organizations outside the EU, and U.S. businesses that (1) offer goods and services to individuals in the EU and/or (2) monitor the behavior of individuals who reside in the EU. 

If my business is B2B, do I still need to comply?

  • GDPR can definitely apply in B2B relationships.  Although GDPR regulates the processing of individual personal data, that does not limit its application to businesses that deal only with individuals (i.e., consumers).  In a B2B relationship, a vendor may collect personal data from individuals working for its business customers or that are customers of the business customer, which may subject it to GDPR. 

What is the first step to GDPR compliance?

  • Determine if your organization is subject to GDPR by performing a thorough review of the personal data your organization collects, determine how it is used, and decide if you have a lawful basis to use it under GDPR. Generally, a lawful basis for GDPR purposes can be based on express consent, performance of a contract, compliance with the law or legitimate interests.

What other steps may be necessary for GDPR compliance?

  • If your organization is a “controller” of personal data (i.e., you determine the purposes and means of processing the personal data), you must address your organization’s own compliance requirements, as well as those processing personal data on your organization’s behalf.
  • Your organization should review and revise its privacy policy or customer contracts to be transparent and inform individuals as to the manner that your organization processes personal data. This includes the purpose for collecting and processing personal data, data retention polices, and how the personal data will be shared with others. 
  • For those that are processing data on your organization’s behalf (for instance, a vendor that hosts the data), you will be required to put in place a written agreement which identifies the specific personal data to be processed by your vendor, the type of processing performed on the personal data, and security and technical safeguards.

If you have any questions or concerns regarding GDPR and your organizations compliance  efforts, please do not hesitate to contact me. Global confusion still surrounds GDPR compliance and we are here to assist. I may be reached via phone at 404.961.7641 or via email at jmonahon@trusted-counsel.com 

Best Practices for Managing Cyber Risks

Data Breach

Managing Partner Evelyn Ashley speaks this week at The Morison KSi North America Annual Conference in Boston, MA. Morison KSi is a global association of leading professional service firms, serving the cross-border accounting, auditing, tax and consulting needs of clients. Ashley will be presenting “Managing Cyber Risks: A Legal & Business Plan of Action.”  Below is an excerpt of her presentation for best practices for managing cyber risks.  

Educate and Train Everyone
It’s vital that the “C-Suite” team create a culture of privacy protection. In other words, it’s not just about protecting the client information, but also protecting the company information. Discuss and communicate with your team how data will be collected, used and disseminated. Educate and train your employees and contractors on proper data and technology protection procedures. Provide regular updates to everyone on phishing schemes, and viruses. It’s vital.  

Invest in Technology
Simply said, old technology will make your network vulnerable. So be proactive and update your firewalls regularly as well as your computer passwords. In addition, network and hardware backups should be done at least daily; more frequently is even better. Beware that CPA and Law Firms are targeted for attacks because they are not always up-to-date technically and are very vulnerable.

Have a Data Security Policy
This is a document that is used as part of the training and education process.  Don’t create one simply to have one and then put it away. Remember that it’s a living document. All employees should have access to it and it should be updated periodically.  Also, have your IT department create friendly hack tests and vulnerability tests to your systems.  

Information Storage Limitations
Eliminate data for which your business might not have a real need for.

Get Cyber Insurance
On average, a breach is between 15,000 – 20,000 records. Take in account the cost to correct a record at ~$40.00 per record and it will get very costly. It is well worth looking into and getting insured.