CastleHill Managed Risk Solutions Blog

GDPR in the USA

Posted by Joseph Santangelo on Mar 6, 2018 12:51:36 PM

Coming soon!   Actually, very soon!  In May of this year, the EU's General Data Protection Regulation (“GDPR”) goes live.

Its aim is to protect the privacy and security of individuals in the European Union (“EU”) single market countries. GDPR Article 32 states that organizations must implement a level of security that is appropriate for the level of risk to personal data. Failure to comply could result in fines of up to 4% of revenue.

But thankfully you have a US based business, Phew!

Heh, heh, heh…  If you offer goods or services (even free ones) to EU individuals, GDPR impacts your organization.  And did I mention that GDPR fines are up to 4% of GLOBAL revenue.

GDPR requires organizations to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with its regulations.  THIS MEANS YOU!!!

GDPR mandates data-breach notification within 72 hours. How do you accomplish this? Do you have the necessary processes and procedures in place?  Are you performing comprehensive risk assessments, tracking the effect of business changes and ready to provide reporting to regulators?

The “Right to be Forgotten” requires organizations to have firm control of their environment and ability to manage risk. Data-governance strategies must be documented and vetted for each individual business silo. Data inventories must be maintained and have a well-documented access and entitlements policy for the level of risk to personal data.

A seldom mentioned aspect of GDPR may have the most far-reaching impact. “Privacy by Design” requires that organizations must consider privacy from the beginning of their initial design and all the way through the complete deployment of new products, processes or services. Changes to business processes must be well documented and their risks assessed. Their implementation may also require the involvement of operational risk analysts and process engineers to be sure that GDPR requirements are met.

When assessing risks, organizations must consider the nature, scope, context and purpose of the processing in addition to the potential risks to individuals data. GDPR’s risk-based approach makes it crucial to have robust risk management processes in place. It embraces risk-based frameworks that encourage organizations to perform risk analysis and to adopt risk-based responses.

In GDPR, risk is defined by the “likelihood and severity” of a negative impact on data subject rights.  What then, is the likelihood that your organization will be compliant with GDPR regulations?     And what would be the severity of GDPR penalties to your business if you were not?

Read more about GDPR legislation by following this link.


Joe Santangelo

VP Business Development 

CastleHill Managed Risk Solutions


Topics: Risk Management, GDPR, GDPR Compliance, GDPR for US Companies