Compliance / Privacy

Data Privacy (GDPR and Privacy Shield Compliance)

If your company does business with or handles the data of individuals in the European Union ("EU") then you are probably required to comply with EU/U.S. Privacy Shield directives, and (soon) the EU General Data Protection Regulation ("GDPR"). The GDPR applies to all EU member states, as well as organizations that do business in the EU. The EU has been on the forefront of privacy legislation over the last 20+ years, and the GDPR is intended to strengthen and standardize previous privacy legislation into a unified standard. U.S.-based organizations have not traditionally put the same emphasis on the protection of private information as their EU-based counterparts, and privacy is suddenly an extremely important topic.

A little background:

Since the United States is not deemed to have adequate privacy protection laws, the EU requires U.S. organizations that handle Personally Identifiable Information (PII) collected in the EU to meet EU privacy standards through the EU Privacy Shield, and soon through the GDPR (effective May 2018) as a condition of transferring data. U.S. companies that handle EU customer or employee data categorized as PII will need to demonstrate their compliance with EU privacy standards, and companies that do not meet the regulations will risk large fines (up to 4% of the company's annual turnover or 20M Euros) and/or termination of contracts with EU partners.

If this sounds complicated, that's because it is. To meet the EU requirements, U.S.-based companies will be required to make a number of significant administrative and technical changes to their data handling processes, including:

Implementation of a privacy program, which must include requirements for right to erasure, processing restrictions, and defined processes for how data collection and consent is handled

  • Determining if a Data Protection Officer is required
  • Following specific data breach notification and privacy complaint requirements
  • Implementing the appropriate privacy policies, procedures, and notices
  • Performing a data inventory and analysis as part of a Data Protection Impact Assessment (DPIA)

Our Approach

Our privacy program development methodology provides a framework that can help your organization:

  • Develop a strategy that engages both executive management and subordinate stakeholders
  • Develop and fine tune a privacy program based on your organization's business, goals, and objectives
  • Develop privacy policies, procedures, guidelines, and standards to meet applicable laws regulations
  • Define strategies for continuous improvement and success metrics

The AppSec Consulting Difference

  • We will develop or improve your existing privacy program using proven tools and methodologies
  • We work with security professionals with a wealth of experience in all facets of risk, privacy, and compliance management and program governance
  • Get maximum value from your security privacy and compliance investments by focusing your efforts on business priorities
  • Increase market share to third parties by being able to objectively demonstrate your security, privacy, and compliance posture

Our Approach

  1. Define organizational goals and objectives
    • Identify external and internal requirements
    • Evaluate the current state and efficacy of implemented controls
    • Define program goals and objectives
    • Provide a gap report with actionable remediation recommendations for incomplete or missing controls
    • Develop a custom privacy framework aligned to your business and security requirements
  2. Develop a management framework
    • Define Management and Stakeholder responsibilities
    • Develop or refine the privacy risk assessment methodology
    • Draft or revise policies, procedures, and supporting documentation
    • Develop supporting documentation where required
  3. Develop operational processes and technical controls related to privacy
    • Develop or refine privacy Standard Operational Procedures (SOPs)
    • Develop or refine privacy technical controls and requirements
    • Define privacy program testing procedures and metrics
  4. Provide Implementation Support
    • Provide project management support
    • Provide technical assistance
    • Ensure implementation is consistent with your privacy framework and controls
    • Perform technical and administrative review of your privacy controls

What You Get

  • Expert consultation you can count on throughout the entire process
  • A privacy program best suited to your organization’s requirements and objectives
  • Confidence you can meet external and internal requirements
  • A competitive advantage your clients will respect and appreciate
  • Visibility into your organization’s security and privacy posture, including strengths and opportunities
  • An objective assessment of your privacy program which will allow you to focus human and capital resources efficiently
© Copyright 2017 AppSec Consulting, All Rights Reserved