+1-202-802-9399 (US)

Thycotic’s CyberSecurity Publication


The EU GDPR Checklist: It’s go time!

March 13th, 2018

In the news



Yes, you’ve all heard about it. Many companies have been raising the alarm and increasing awareness about GDPR—General Data Protection Regulation—for months now, all offering solutions for anything at all to do with GDPR. It’s caused a lot of confusion, raised many questions—and organizations have no idea where to start.

Many assume they are excluded and do not need to do anything—this is not true

Some companies assume they are excluded and do not need to do anything. Nothing could be further from the truth. So, let’s clear this all up now, and demystify the EU GDPR with our EU GDPR Checklist.

But first, a quick reminder: what is the EU GDPR?

The new EU General Data Protection Regulation has been in development for a number of years. It replaces what was previously the European Data Protection directive from 1995. The idea was to build a consistent foundation across all European Union States to create a basic commonality for the protection of data and critical infrastructure

Protecting the Personally Identifiable Information (PII) of European Citizens

The regulation is focused on ensuring that any nation state, organization, or company dealing with European citizens’ personally identifiable information is obliged to comply with this regulation. It requires that organizations dealing with the personal data of European citizens have a certain standard they must comply with. This means: effective data protection, adequate security measures, privacy by design, and when there is a data breach they must notify the national authority of the country in which they operate within 72 hours of a breach. Depending on the risk value of the information that’s been compromised—low risk or high risk—they must also notify the impacted party without undue delay.

Penalties and fines for inadequate security measures: 20 million euros or 4% of annual turnover

This is the new foundation of responsibility and accountability when it comes to dealing with European citizens’ personal data.

What this all means is that your organization can now be held responsible when collecting excessive amounts of information. The more information you collect, the more you are accountable for. If, in the event of a breach, it is found that adequate security measures were not in place, there are significant penalties and fines—20 million euros or 4% of annual turnover.

Here is your final checklist before the EU General Data Protection Regulations come into enforcement in May 2018. 

#1 It is Borderless
The scope of the new regulation; it’s all about the DATA

The EU General Data Protection Regulation is not bound by any borders and is applicable to any company or organization, globally, that is collecting or processing EU Citizen’s Personal Identifiable Information. This includes services hosted outside of the EU that service EU citizens.

It is important that you quickly identify whether are you collecting or processing any personal data from EU citizens.  Many companies have assumed that as they do not have direct EU customers or employees the regulation does not apply, and this is incorrectly assumed.

What it means is that even if you are  collecting or processing EU citizens PII data via a third party, the regulation still applies.  If you have a system or application that you are responsible for that collects or process data that is from an EU citizen, then you have a responsibility to comply with the EU GDPR.

#2 Clear CONSENT
Collecting and processing personal information, and recording consent

This is probably one of the most important requirements under the EU GDPR. This means that you must be clear on obtaining and recording consent from the data subject on the collection and processing of personal data, including what data is being collected, how the data will be used and whether the data will be shared with 3rd parties.  Due to this it is better to collect only the data required and not to over-collect data on the assumption you might require it later.  It is critical that you record consent, how the data was obtained and from which source, directly or indirectly via a 3rd party. If obtained via a 3rd party ensure that consent was obtained, and is being maintained and updated.  Also, consider the impact to the underlying process if consent is withdrawn.

#3 Data Classification
Know the data you collect; is it SENSITIVE?

It is important to know the type of data you are collecting or processing on EU citizens.  Is it just an email address and contact details?  Many organizations are simply making sure they can contact customers, market to prospects or ensure that vital information is getting to the right people.  However, a Data Impact Assessment should be performed to determine if you are collecting or processing personal data and whether that data is indeed potentially sensitive in nature.  I highly recommend you check for data such as health, financial—including systems for invoicing or expenses etc.—and resumes which usually contain sensitive information.

Organizations will have to get into the routine on classifying the type of data being collected or processed to determine their capacity for accidental sensitive data collection.  Some processes I recommend reviewing are customer/employee onboarding processes as this is usually is where sensitive data could be collected, for example when receiving resumes from prospective future employees, either directly or indirectly via 3rd party recruitment companies.  Be clear on what type of data you accept to collect and process.  Expense systems should also be considered to what type of data you are receiving from employees, for example receipts from expenses, and how the purchase was made.  Be sure to only require the least amount of personal information and these systems or processes should be private and secure by design.

#4 Respond to Complaints
Be ready and prepared

Make sure that after May 2018 you have a consistent and repeatable process for responding to complaints about personal data being collected or processed from EU Citizens.  This will likely happen so establish a solid process to handle complaints, and ensure the type of request is handled according to the EU GDPR.

#5 Data Protection Officer
Do you need a DPO?

Most organizations are probably still considering whether or not they need a DPO. Well, it’s probably too late, if you are reading this now, to determine the need. So at least consider what you need to be doing and have a plan in place.  If the core business is regular and systematic monitoring of data subjects on a large scale, or special categories of data at large scale, for example when sensitive data is involved, then you probably need a DPO.  Whether or not you need to appoint a DPO, you should at least consider carrying out the tasks and responsibilities of a DPO to ensure that any future changes comply with the EU GDPR. Remember, this is an ongoing continuous process and not a one-time check box. The DPO will help ensure that you are following and continuously being compliant with the EU GDPR.

#6 Privacy by Design
Data protection and privacy impact statements

If you are collecting and processing personal information from EU Citizens, then you must implement privacy by design and perform privacy impact assessments.  This is to ensure that have taken the right steps to determining adequate security is in place and practicing a least privileged approach to data access.

#7 Be Ready to Act FAST
Data breach and incident response

Complying with the EU General Data Protection regulation does not mean you are protected from being hacked. It simply means that you’ve identified the Personally Identifiable Information from EU citizens that you are collecting or processing, and that you’ve set up appropriate processes to ensure consent, adequate security, and right to removal; and that you’re not collecting excessive data, or using it for inappropriately. It means you have accepted accountability over the collection or processing of EU Citizens’ personal identifiable information.

I believe this is probably the most important check to perform to verify that you have a solid and tested Incident Response plan.  This will likely determine whether you have done your due diligence when it comes to data protection and responsibility.  If you fail at Incident Response and adhering to the EU GDPR breach notification requirements, then you could likely be facing strong financial penalties, so be sure to get this one right.  As stated above, effective data protection, adequate security measures, privacy by design, and when there is a data breach an organization must notify the national authority of the country in which they operate within 72 hours of a breach. Depending on the risk value of the information that’s been compromised—low risk or high risk—they must also notify the impacted party without undue delay.  So not wait, get to know your national authority now rather than trying to determine who and how you should contact when the data breach occurs.


The EU GDPR is a big change to how nations and companies around the world collect and process EU citizen’s personal data and establishes strong requirements that put privacy and security right at the top for EU citizens.  This of course is only the beginning and we will likely see many changes and improvements in the years to come, but I am sure you do not want to be the first to test this by failing GDPR compliance.  So, follow the checklist and determine what applies to your organization. Make the process changes now rather than waiting for a data breach because what is almost certain is that a data breach will occur, and how you respond to it will make a big difference to whether your organization will survive a cyber-attack.

FREE Cybersecurity for Dummies ebook

Show your employees how to protect themselves and your organization


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.

Leave a Reply