Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Data Privacy, Cyber Security

Webinar questions and answers: Ready for GDPR? Learn about challenges and ways to comply

Webinar questions and answers: Ready for GDPR? Learn about challenges and ways to comply
Written by

Michael Rasmussen

Published on

20 Mar 2017

Webinar questions and answers: Ready for GDPR? Learn about challenges and ways to comply


Below is a list of questions from the SureCloud GDPR Webinar. The questions have been answered based on our presenters’ understanding of the Regulation and are for guidance only. Before acting these guidance we would recommend seeking legal clarification.

Question 1 – I’m with a US company. Does the EU-US Privacy Shield mean I don’t have to comply with the EU GDPR?

Though it’s considered a good-faith effort, the EU-US Privacy Shield does not exclude participating US companies who operate in the EU from meeting the requirements of the General Data Protection Regulation.

The Privacy Shield deals specifically with data transfers between two political areas (EU and US) in support of transatlantic commerce. That’s just 2 of the 10 identified GDPR requirements noted on the chart below, exposing Privacy Shield members to possible EU penalties.

Question 2 – Does personal data under GDPR include the combination of multiple assets within an organisation in the same way that DPA does?

Yes – Article 4 of the Regulation (link to online PDF) defines data as personal according to whether a natural person can be identified, irrespective of how the data is stored or collated. Hence an operation or process that collates multiple sets of data (i.e. assets) that allows a natural person to be identified where otherwise they wouldn’t, it applies. This is a key consideration for the Data Protection Impact Assessments.

Question 3 – If a supplier has 27001 and provides evidence will this be deemed as an adequate assessment of the supplier?

No – Certification to existing standards such as ISO 27001 and/or Cyber Security will help to demonstrate compliance with elements of GDPR but is unlikely to be sufficient evidence on its own given the much wider breadth of the new regulation. Ultimately it will be possible to obtain accreditation for GDPR once Supervisory Authorities and the European Data Protection Board (EDPD) establish a certification mechanism as outlined in Articles 42 & 43.

Question 4 – Security CCTV cameras, would these be covered in a restaurant?

Yes – CCTV is covered by GDPR in Article 4(14) as physical characteristics such as facial images, classifying it as biometric data. This type of data belongs to the special category of prohibited data which can only be used under specific circumstances as outlined in detail within Article 9. The one that is likely to apply in this case is sub-paragraph (c) where: “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”

Until further guidance is provided with regards to CCTV under GDPR, we recommend that you review the existing ICO’s guidance and a Code of Conduct for the Data Protection Act . Click here to access.

Question 5 – What constitutes a cross-border transfer?

Data that can be viewed by a body outside the EU via any mechanism constitutes a cross-border transfer. In principle, GDPR will retain the cross-border data transfer rules of the Data Protection Directive whilst improving upon adequacy decisions and formalizing Binding Corporate Rules (BCR) to name a few changes. The principal change, however, is that GDPR has shifted focus onto the whether the data belongs to residents of the EU as opposed to where that data is held. Hence where there is a chance of personal data being used beyond the jurisdiction of the EU and recourse of its data subjects (e.g. download outside of the WAN, printed or a photo taken of the screen) it’s likely to constitute as a cross-border transfer.

Security measures to prevent these activities such as limited permissions for non-EU staff, encryption, transfer limitations or pseudonymized data may help in such a situation. In a recent survey by PwC, nearly two-thirds of US participants have plans to centralize their data centres in Europe, whilst more than half intend to de-identify data to reduce their exposure to GDPR. More significantly, nearly a third planned to reduce their presence in Europe altogether.

Question 6 –  Can you provide an example of how control would work and is there a definitive list of legitimate reasons for processing data?

Yes, some good examples of controls that organisations will need to implement are data protection policies, procedures and processes that proves data subjects have given consent. Bird & Bird provide a good assessment regarding Legitimate Interests. In summary, recitals 47 to 50 of the GDPR list several examples of the most common:

  • 47    “Processing for direct marketing purposes or preventing fraud” this legitimacy is based on the data subject’s reasonable expectation of how the data is used based on the time and context of the collection.
  • 48    “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note international transfer requirements will still apply – (see section on transfers of personal data”
  • 49    “Processing for the purposes of ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems”
  • 50     “Reporting possible criminal acts or threats to public security to a competent authority”

Question 7 – Can the platform be used for a full DPIA once you’ve identified that once is needed?

Yes. One of the key processes in the GDPR Controls application allows organisation to undertake DPIAs for each data processing activity following a series of screening questions. The screening questions will also indicate when a DPIA is not required for a given processing activity. DPIAs may also be referenced by multiple processing activities where applicable, again saving time and effort.