A Foundation for GDPR Compliance

Jacek Materna on April 6, 2018

By now, you’re probably painfully aware of GDPR. The noise around the new data protection law alone is enough to make your head spin.

Add to that 100 pages of dense articles to trek through, and every security officer has their work cut out for them. But before you start trying to decipher the implication of every word choice in specific articles, you have to make sure your security practice has a solid foundation.

To help you get your head above water, we’ve compiled a checklist that will effectively be your step 0 for GDPR compliance. These steps are intended to prime you for future security controls and make your job easier down the road.

Without further ado...

  • Be sure to have a Privacy Policy posted on your Website that discloses your practices and security ideology. This policy must include appropriate Privacy Shield clauses and dispute resolution clauses. Contract with dispute services provider as needed for Privacy Shield compliance.

Tip: You must include Privacy Shield info in your published Privacy Policy to comply with EU rules. You can also set up a free account with to generate a privacy policy for a dummy domain (not your real one) just to go through their comprehensive list to help you identify what is personal data and how it finds it way to you.

Need some inspiration for what to include? Check out what my we've put together.

  • Confirm that you are in compliance with applicable US privacy laws/standards for special types of data. Think industry or function specific data like HIPAA, billing information, etc.
  • Review your customer contracts and confirm that you meet any privacy requirements. Pay special attention to any EU customer contracts that include GDPR processor and data transfer requirements.
  • Meet all HR privacy requirements, including any privacy policies on HR portal/intranet.
  • If your team has any presence in Europe or an offering targeting EU data subjects, comply with rules directly applicable to controllers under GDPR.

Don’t lose sight of the foundational pieces of your security strategy as you build out your policies and processes for GDPR compliance. Having a holistic security practice will position your organization to be even more effective in your quest GDPR compliance.