GDPR Consulting: EU GDRP Compliance Consulting Services

Easy GDPR Consulting Services

No matter where your business is located, if you process EU data, the EU General Data Protection Regulation (GDPR) requires you to make some major adjustments to your privacy program.

2B Advice can give you a clearer picture of what the key requirements of the EU General Data Protection Regulation (GDPR) are, what steps you can take to meet them and how much time and effort you can expect to put into each step with our GDPR consulting services.

Get A GDPR Consulting Quote!

Learn more about how we can help your company with a GDPR or CCPA compliance program.

U.S. Company

We are an international company with offices in San Diego, California.

SINCE 2003

We are one of the providers with the longest experience in the market.

INTERNATIONAL TEAM

Our data protection expertise is transnational and we work internationally.

We are GDPR Compliance Consulting Experts

With GDPR being in effect since May 2018, your organization needs to demonstrate your compliance. A breach in personal data can result in fines up to €20 million or 4% of global revenue, whichever is higher. If you plan to do business in the EU, you’ll want to carefully navigate this new and complex data protection legislation. Our certified EU privacy law experts can help you assess your organization’s exposure to risk and design an appropriate level of mitigation.

2B Advice has helped thousands of organizations in Europe navigate data protection laws with experience and know-how developed over 17 years as one of Germany’s first data privacy consulting services firm. One of our most vital tools in privacy compliance consulting is 2B Advice PrIME, our proprietary data privacy software specifically designed to handle the stringency and the complexity of GDPR.

We consult with more than 200 international companies in multiple languages, including German, English, French, Spanish, Turkish, Italian and Chinese.

Request a GDPR consulting quote!

We also offer comprehensive, expert-led GDPR consulting services, DPO training, and GDPR workshops. We also help with Data Subject Access Requests under GDPR.

What is a GDPR consultant?

GDPR consultants are legal and data privacy experts or firms who help make sure that your company is compliance with the articles of the GDPR. They may provide data protection officer (DPO) services, legal and privacy consulting activities such as data impact assessments (DPIAs),or otherwise help with a variety of activities to develop methods and processes for compliance.

What is GDPR Certification?

GDPR certification refers to becoming legally compliant with the European Union’s (EU) General Data Protection Regulation, or GDPR. GDPR certification is a feature of GDPR law that allows people or entities to receive certification from approved certification bodies to show both the EU and consumers that they are in compliance with GDPR. Certification is scalable and can be different for organizations of differing sizes and types.

Article 42(1) of the GDPR provides that:

“The Member States, the supervisory authorities, the [European Data Protection] Board and the European Commission shall encourage, in particular at the Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account”.

Is Certification to ISO standards GDPR certification?

No. However ISO certification can be a useful part of building toward GDPR compliance.

Technical and management standards developed by international or European standards organizations, including the information security standard ISO/IEC 27001 or the newer ISO/IEC 27701 on the Privacy Information Management Systems, are not necessarily part of a GDPR certification mechanism. Such standards are essentially different in nature: they are directed toward management systems and have a risk-management approach.

Is there a GDPR certification?

An EU wide GDPR certification is still in the works. Despite the fact that the GDPR has been in effect for several years, developments of an EU wide certification on the basis of Articles 42 and 43 of the GDPR have been slower than expected.

At the EU level, there has not yet been a European data protection seal approved by the European Data Protection Board, while at the national level, some developments are now starting to emerge. Several pre-GDPR data protection certifications are being updated and submitted for approval, however most of them not yet approved by the national supervisory authorities. Much of the delay is due to the uncertainties of the GDPR articles regarding key aspects of the mechanisms, in combination with the novelty of certification for the European data protection law and a general lack of experience and know-how.

How do I become GDPR compliant?

GDPR demands that companies take certain steps to show that they are in compliance. Taking steps to create a privacy program that includes structures and processes that address all 99 Articles of the GDPR is the best way to become GDPR compliant. Examples of some of these steps include:

Documenting via records of processing activities (RoPAs) what user data is held, its source, the legal basis for processing and what data processing activities are used.
Creating and keeping up to date a register of data subject’s personal data and maintaining a record of user locations, responsible file owners, information sensitivity levels, data storage periods, and data availability.
Having a Data Protection Officer (DPO) on staff as of May 2018 if you are a public authority (excluding courts acting in a judicial capacity), an organization engaged in the large-scale monitoring of individuals’ data, or an institution that does large-scale processing of special data categories. This role may be outsourced.
Alerting authorities and data subjects within 72 hours if a data breach is detected. Successful, large-scale hacker attacks will lead to serious fines.
Providing users with a process for “right to access” and the “right to be forgotten,” which means that the data subject may know what information is stored or can have all personal information pertaining to them deleted if they so choose.
Informing the applicable regional supervisory authority if you intend to collect, use, and/or store personal information.
Adopting internal data protection policies.
Training staff in data protection and privacy best practices.
Conducting data impact assessments (DPIA) and audits.
Conducting third party assessments.

May products or systems be certified?

No. Products and systems cannot be certified as such for being GDPR compliant, but they are part of the evaluation for awarding the certification for data-processing activities.

Does GDPR Certified Mean GDPR Compliant?

No. Once a controller/processor has its processing certified under a data protection certification mechanism, there is still no presumption of conformity with the legal obligations. What GDPR certification does do is helps the controller or processor show to the Supervisor Authority the technical and organizational measures taken to comply with the GDPR legal obligations, does demonstrating their level of dedication and level of effort.

Get A GDPR Consulting Quote!

Learn more about how we can help your company with a GDPR or CCPA compliance program.

Frequently Asked Questions About GDPR

What is the GDPR?

The General Data Protection Regulation or GDPR is a European-wide data privacy law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data and contains 99 articles detailing those requirements. It came into effect on 25 May 2018 and applies to all companies that offer goods or services to citizens in the EU.

Who must comply with the GDPR?

The GDPR applies to “data controllers” which are any private or public bodies that process the personal data of individuals called “data subjects” residing in the EU.

Does GDPR apply to my business even if we don’t have operations in Europe?

Yes. The GDPR also applies to organisations outside the EU such as the US that offer goods or services to individuals in the EU.

Who are protected parties under the GPDR?

The GDPR protects “data subjects” whose personal data are processed by a data controller established in an EU Member State at the time of data processing or whose data are processed by an off-shore controller offering goods and services or tracking their online behavior, provided that such data subjects are physically present in the EU at the time of that processing activity.

What is right to notification under the GDPR?

A data controller must inform the data subject of the following:

The purpose for processing personal data.
The legal basis for processing personal data
The categories of personal data that will be collected and processed.
Who the recipients of their personal data are.
The contact details of those processing their data.
If the personal data will be transferred to a third country.
The period that the personal data will be stored.
The existence of automated decision-making.
All of the data subject’s rights defined by the GDPR.

What rights do data subjects have under the GDPR?

Data Subjects have the right to:

Withdraw consent of processing their data for marketing purposes
Access their personal data
Erasure of their person data within certain scenarios.

What are the GDPR security requirements?

The GDPR requires data controllers and processors to implement technical and organizational measures (TOMs) to ensure the reasonable safety of their data processing operations. The GDPR adopts a risk-based approach to determine what level of technical and organizational measures are required in each case. Relevant factors include the nature and volume of the data processing activities, criticality of the data processed and the risks associated with the specific processing operations.

What is protected data under the GDPR?

The GDPR defines information that is protected as “personal data”, which is any information relating to an identified or identifiable natural person, including:

Names
Identification numbers
Location data
Online identifiers
One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.

How does GDPR impact business – vendor relationships?

The GDPR does govern certain types of vendor relationships. In addition to the data controller, the GDPR recognizes the role of the “data processor” as a party that processes personal data on behalf and at the direction of a controller. In their processing activities, data processors must strictly abide by the instructions of the data controller. The GDPR establishes minimum requirements for the contract that a data controller must enter into with a data processor.

Are all vendors considered “processors” under the GDPR?

Co-controllers and “third parties” are parties other than the original data controller or its processors who may lawfully become engaged in the processing or personal data. In addition, co-controllers who jointly define the means and purposes of a processing activity must allocate their responsibilities in a written agreement.

How do we know if we are a processor or a controller?

A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.

What is a Data Protection Officer?

The GDPR calls for the mandatory appointment of a Data Protection Officer or DPO. He or she is responsible for overseeing an organisation’s data protection strategy and implementation of the GPDR requirements. The DPO is the main point of contact with the relevant regional data supervisory authorities.

What are the GDPR penalties non-compliance?

A supervisory authority can impose a fine of up to 20 million Euros or 4% annual turnover, as well as issue warnings or reprimands.

What are the GDPR Requirements for Companies in 2021?

Even though the GDPR is a European standard, there are GDPR requirements for U.S. companies. American companies who are transferring personal data between the U.S. and Europe are included in the GDPR compliance requirements even though they may be headquartered physically outside the EU.

The first step towards full GDPR compliance is to establish if the GDPR requirements apply to a certain U.S. company. Regardless of company size measured in staff or revenue, if the company offers goods and/or services to EU/EEA residents or collects, processes or supervises the personal data belonging to users within the EU/EEA, the GDPR is applicable to it. Names, contact information, and details such as IP addresses, locations, etc. are considered personal data and covered by the GDPR and you need to demonstrate a lawful basis to process it.

The GPDPR compliance requirements are also adapted to various company characteristics such as staff size. Businesses employing fewer than 250 employees do not require a record for data-processing activities. This law only applies if the processing of information is harmless to the users, no distinct divisions of data are being handled, and if the processing is complying with Art. 30 GDPR. Therefore, most companies that process distinct personal data must provide records of their data processing endeavors.

Data subject rights and crucial tools in complying with the GDPR requirements for U.S. companies include Data Breach Notifications which fall under the user’s right to be informed and require companies to maintain transparent data collections and consent, or “opt-in”. These act in accordance with the Right of Access (Art. which concludes that the user must be allowed to view any collected data within one month for free. Other requirements of GDPR include conducting Data Protection Impact Assessments (DPIA), Privacy by Design and Default, Strict Consent Conditions, Data Subject Access Requests (DSAR), and appointment of a Data Protection Officer (DPO).

The GDPR has multiple tools which allow it to enforce its policy in foreign countries. If a company holds EU/EEA assets or presence, such as bank accounts, property, and servers, they can be seized for GDPR defiance. Alternatively, if they hold no physical occupancy in the EU/EEA region, GDPR compliance requirements demand a representative stationed within the EU/EEA precinct. Another strategy through which legal action can be taken is International law possibly through EU/EEA enforcement agencies.

GDPR Fines 2021

Data fines will also play a huge role in complying with this European law in 2021. They can be as expensive as 20 million euros or four percent of the company’s annual global revenue, whichever is more excessive.

For example, in a significant ruling, Google was fined €50 million by France’s GDPR enforcement agency, the Commission nationale de l’informatique et des libertés (CNIL), for processing EU/EEA user’s information without their consent and essentially disregarding GDPR requirements.

To review, GDPR requirements apply to most U.S.-based companies who have European customers especially if they supply consumer goods and services, track personal data, or share personal data with third parties. Noncompliance with the GDPR can potentially result in harsh and expensive consequences for American companies. Therefore, corporations that have any connection with European users should ensure that they receive reliable assistance in avoiding any incompliance with the GDPR requirements.