GDPR Compliance for U.S. Companies: Your Action Plan Explained

The GDPR (or General Data Protection Regulation) is an effort from the European Commission and the EU to ensure that EU citizens’ personal data is handled in the appropriate manner by organizations who hold their data.

Some are calling it an effort to give citizens’ back their right to manage their own data. The GDPR adoption should therefore result in protections for European citizens personal data and the means for citizens’ to have portability of their data.

The important takeaway here is the the General Data Protection Regulation is designed to ensure that consumers as well as companies know that their personally identifiable data is secure.

The GDPR document has 173 recitals and 99 articles. The recitals give explanations of the law in more of a vernacular, so that (and this is the goal here) almost anyone can understand them.

Yes, U.S.-based organizations, the GDPR applies to you too! If you’re a U.S. based organization, GDPR compliance may very well be necessary for you. Multinationals will have to care because they often have EU citizen data and some presence, you could be subject to a class action lawsuit if you lose that data. 

"But what if my U.S.-based company has no direct business operations in any of the 28 member states of the EU? I have nothing to worry about right?"

NOPE.

If you have a web presence (what company doesn't have a website nowadays?) and market your products over the web, you'll have to do a territorial scoping of the data you collect to figure out your GDPR requirements.

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone who is in an EU country, then your company has some key GDPR compliance requirements. The GDPR applies to any business that stores personal information of those in the EU, so it doesn’t just apply to those companies who have locations or employees in the EU. If you sell products in the EU and have customer data, lead data or payment information of those who are in the EU, you must scope GDPR compliance for your organization.

For example, you have marketing for your organization, and your marketing department  fuels lead generation so that those leads can become customers. Each lead they generate contains personal data or personally identifiable information (PII) that makes that organization fall under the GDPR regulation.

Who are some high-probability U.S. sectors that fall under the scope of GDPR? Hospitality, travel, software, e-commerce retail.. these companies have to take a closer look at their online practices that generate paying customers. Any U.S. company that has a market in any EU country needs to review how it's generating and handling that data.

An important change in the GDPR that hasn’t received much attention concerns how the scope of the regulation changes based on geography.

The GDPR has an entire article on the topic (article 3) that says that if you collect personal data, PII or behavioral info from someone in an EU country, your company is subject to the requirements of the GDPR.

To Clarify: The GDPR only applies if the data subjects are in the EU when the data is collected. EU laws apply in the EU. If you collect an EU citizen's data when they're traveling outside the EU, the GDPR does not apply.

A financial transaction doesn’t have to happen for the scope of GDPR to apply. Just collecting the right kind of data from the right kind of person will make you responsible to prove GDPR our diligence. For example, you're collecting lead data that may contain personal data - or personally identifiable information (PII) - through marketing which many of us do, then you must protect that data in the style of GDPR if that citizen is of the EU.

For those that already follow existing data security standards (e.g., PCI DSS, ISO 27001, NIST), these new regulations shouldn't be too difficult to tackle. It's likely that you already follow a lot of data storing, processing and transmitting best practices. If you follow NIST Special Publication 800-171 for example - a Department of Defense regulation that is rumored to soon become 

However, the tough new GDPR 72-hour breach notification rule will certainly require IT departments to step up to the plate.

When there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"..... IT pros unite! You'll immediately need to do an analysis of whether the exposed EU PII could potentially cause any “risk to the rights and freedoms” of those whose data was exposed.

Seem vague? That's what we thought. Here are some examples of data that, if exposed, could cause a risk to that data subject's personal freedoms:

• Credit Card Data
• Sexuality or Sexual Orientation
• Home Address
• Financial Information
• Social Security Info or Equivalent
• Data of Minors
• Medical History or Medical Data

If a breach for you ends up exposing a bunch of email addresses, home addresses, sex or gender identifiers, or anything that has sensitive data related to medical or financial information in it, especially if there is data associated with children or minors, you'll be had responsible to notify an EU regulator or a supervising authority - literally within 72 hours.

The exposure of credit card numbers or account passwords in a data breach will typically be the most common pieces of data that will require you to immediately notify not only the individuals whose data was effected, but also the supervising authority and EU regulator. 

So.... BIG QUESTION: What's the deal with enforcement?

There's definitely still questions lingering about the internet and in our own circles on how the European Union will actually enforce these best practices against U.S.-based companies. Especially for SaaS companies, multinational organization and any business marketing or doing business directly over the internet on their websites. Even the typical Web processes of major U.S. businesses have been affected by the enforcement of the GDPR regulation.

You've probably heard about the fines - so we'll spare you an entire section on them.

For those who don't know: Not reporting a breach to a regulator within 72 hours will cost you either 2% of worldwide revenue or €10 Million or somewhere in the higher tier if you've been really terrible at adopting data privacy and protection best practices, which is 4% of worldwide revenue or €20 Million - whichever is greater in both cases.

Key takeaway: Don't become a headline, and don't make slacking off on Data Protection best-practices make you lose a chunk of your business, if not all of it.

The General Data Protection Regulation may certainly seem complex to implement for those who haven’t focused on data protection and privacy measures in the past.

For organizations who are thinking of adopting the NIST Cybersecurity Framework (CSF)or who have already, it makes sense to use existing best practices provided by National Institute of Standards and Technology (NIST) than to wait until more EU guidance on how to actually attack this project comes out.

You’re probably aware of the ramifications and fines associated with a breach and non-compliance, or the “right to be forgotten”. We have extensive experience working with executives on security and risk projects (CyberSaint's CEO and Founder, George Wrenn, worked on the NIST Cybersecurity Framework himself). We have the knowledge of NIST CSF as well as data privacy to give you an understanding on how to “hack” GDPR with the NIST CSF.

The backbone of your privacy and data protection initiatives should be build on understanding and having real visibility into the data you have across your company’s processes and lifecycles. You must scope your information flows that both leave and enter your organization - and this isn’t just technical! It’s physical manifestations of data too, like spreadsheets and forms.

Using NIST Controls to Fulfill GDPR Requirements

The real point of GDPR? Accountability, data privacy and data protection. Using the NIST Cybersecurity Framework can add immense value on your journey to GDPR compliance. Various NIST security controls can help your company secure the confidential data that you need to through the five NIST Functions: Identify, Protect, Detect, Respond and Recover.

NIST 800-53 Publication, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations” can help you introduced the continuous evaluation of your security procedures in your organization related to the GDPR. 

Interestingly enough, NIST just published a new draft of its Risk Management Framework (RMF) to include measures on data privacy. The NIST 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” or Risk Management Framework (RMF) can help you achieve GDPR requirements by following it. 

Not only does the CyberStrong Platform have the NIST 800-30 Risk Management Framework built in to assess your risk and data type, but it also has NIST's Appendix J built in to make GDPR compliance a no-brainer, while also aligning with NIST's gold-standard cyber practices.

If you want an entry level introduction into handling sensitive data, or even ever consider selling to the government, consider adopting NIST 800-171 - originally required by the Department of Defense for all of its large contractors and suppliers, now being made into a FAR (Federal Acquisition Regulation) for anyone who sells to the government. The NIST 800-171 Special Publication, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is certainly where you could begin. 

You must assess risks in a continuous manner to address the GDPR, and this can be a big undertaking if you haven’t already set up a continuous compliance program.

If you don’t have a platform like CyberStrong that makes continuous compliance and reporting easy (Not just for GDPR.. for NIST Risk Assessments, NIST Cybersecurity Framework, New York Financial Regs, PCI Compliance, ISO2002 and any other framework you can think of..) you should probably consider it in order to save time, people hours and get off spreadsheets.

You must have an adequate, at the very least, risk assessment in place and procedures by which you deploy risk management initiatives (NIST RMF is a great option). CyberStrong helps you automate your risk assessment continuously as well, so that you can streamline your continuous compliance program for General Data Protection Regulation and any other standard you may need to address both now and in the future.