EU GDPR demystified: a straightforward checklist for US firms (PART THREE)

In this GDPR post, we provide you with a curated checklist to assist you during your journey to compliance with the new European GDPR regulation, coming into effect in May 2018. Learn more about GDPR and its implications in our previous articles:

EU GDPR demystified: a straightforward reference guide for US firms – Part One 

EU GDPR demystified: a straightforward reference guide for US firms – Part Two


Determine whether the data subjects you target and collect data from require you to comply with GDPR.

Whether you are based within the EU or not, GDPR can apply to you. Note that GDPR applies to any services provided to EU subjects in exchange for ads, as well as services and products provided to EU subjects in exchange for payment.

Here are a few criteria that could be used by the authorities to determine whether you are within GDPR’s scope:

Language Availability : Do you have a German, French or Spanish language version of your website? If you aren’t located in a country that officially speaks any of those languages, it may be seen as an indication that you are targeting EU-based data subjects.

Currency Availability: Offering transactions in Euros or another EU-based currency could be seen as targeted servicing of EU subjects.

EU-based Domain Name: Having an EU domain, such as .fr , .ie,, or .eu, may indicate that you are aiming services at EU subjects.

Learn more about whether GDPR applies to you in Part One of our GDPR series.

Create a list of the type of personal data you collate and/or process, along with the specific purpose for processing.

If you establish that you indeed collate and process identifiable personal data belonging to EU subjects, your next step is to determine the type of personal data being processed and whether processing is regular or occasional.

Personally-identifiable data has been categorised into two camps by GDPR: personal data and special personal data. Each have specific requirements for the data controller and processors. List out the data you collect and process. Review the value of the processes. It is advisable to collect required data only, to limit liability resulting from of a data breach or compliance investigation. Securely deleting existing data that is superfluous to specific processing purposes is also recommended.

You should also assess whether the processing is occasional or regular – the latter being a key criterion to assess whether establishments must comply with EU GDPR regulation in May 2018.

Learn more about identifying personal data in Part One of our GDPR series.

Pull together an effective team of internal and external experts to begin outlining your strategy for complying with GDPR regulations.

We recommend this team include the main Data Handlers (controllers and processors), your Data Protection Officer (a data protection legal expert), your Chief Information Security Officer (CISO)*, and a compliance expert.

Everyone on this team should be familiar with the GDPR requirements, and its business impact, so the team can decide how best to comply with the regulations without negatively affecting the day-to-day running of the business.

* CISO: if you don’t have one, see if our CISO-on-demand services might be helpful. 

Understand the rights that EU subjects have over data, even after they give you consent.

Upon request, the data controller will need to be able to prove that it has obtained an EU subject’s clear consent for specific data processing. Note that the data subject can withdraw consent at any time, and withdrawal needs to be as easy a process as the one for giving consent.

The data subject can request corrections to personal information and full erasure of identifiable personal data (right to be forgotten). Data subjects can also request corrections to data and data transfers to a another party.

Learn more about user consent and GDPR in Part Two of our GDPR series.

Identify and clarify your lawful basis for collecting and processing identifiable personal data of EU data subjects.

Article 6 of the GDPR regulation states that identifiable data can only be processed for specific purposes and must have appropriate safeguards in place, such as encryption and pseudonymisation.

Organisations are advised to document clearly how the entity lawfully processes data of these individuals protected by the EU GDPR regulation, and to ensure the data processes are clearly defined and explained in the privacy notices and consent forms.

Learn more about how to process personal data lawfully in Part Two of TBG Security GDPR series.

Review data storage and security measures and strengthen security to protect identifiable personal data.

Under GDPR, security needs to be baked into the data system architecture.

Should a breach occur and the establishment is found not to have applied appropriate IT security measures to protect the identifiable personal data of EU subjects, it opens its doors wide to huge fines (4% of the previous year’s turnover or 20 million Euros, whichever is greater).

TBG Security’s Data Protection Plan was designed for this purpose.  It includes regular penetration tests, security assessments, external scans and on-demand consulting, all of which are designed to seek out any issue that negatively impacts your risk – a perfect fit when preparing for GDPR.

Meet with suppliers, employees, and business partners to ensure everyone is clear on the new legislation and its impact to current identifiable data collection and handling.

Under GDPR, both controllers and processors are responsible, and therefore liable, for the correct data collection and processing of identifiable personal data of EU subjects. It’s vital that everybody understsands the general scope of the law and associated penalties.

Learn more in about Data controllers and Processors in Part One of the TBG Security GDPR series.

Create a clear and precise policy to follow in the event of a data breach of personally identifiable information.

It must include notifying the authorities within 72 hours of discovering the breach. Failure to notify the appropriate authorities puts organizations at undue risk of GDPR fines and penalties.

Being able to provide the steps taken upon discovery of a data breach will put you in better stead with the authorities, as well as your customers or users.

TBG Security’s CISO on demand is available to organizations requiring expert policy advice and recommendations.

Revamp your privacy notices and consent forms to be explicit, explaining how you will use EU subjects’ data.

One of the main components within GDPR is the requirement for clear consent from the EU-based individual whose data you want to collect and process. Additionally, you need to tell the individual clearly how you plan to use their data at the time of consent.

This means that companies around the world that regularly process identifiable personal data from EU subjects will need to have much more visibility into and control of how data is collated and processed. Organizations who work with third-party data collectors or processors will need to be contractually clear and precise about roles and responsibilities.

Learn more about how to process personal data lawfully in Part Two of TBG Security GDPR series.

Do not underestimate the magnitude or scope of this new EU regulation.

There has been an appropriate two-year readiness period, more than half of which has passed. This law applies to any organization, within or outside the European Union, that regularly processes personally identifiable information of EU subjects, including visitors, residents and citizens of EU nations.

Ensure you have the appropriate experts in house. If not, consulting reputable external data protection experts can radically speed of the compliance process.

Learn more about TBG Security GDPR services.

More from TBG Security on GDPR:

Here is some further reading on GDPR.

Useful Resources:

EU GDPR Regulation

If you need help getting your head around EU-GDPR, get in touch. We’re experts on compliance and we’re here to help.

Previous ArticlePetya or NotPetya – How It Spreads And What To Do About It Next ArticleHow to hire a good CISO: a short – but informative – guide