GDPR Executive Summary

  • General Data Protection Regulation (GDPR) has been effective May 25, 2018.
  • GDPR simplifies the regulatory environment for international business by unifying the regulation within the EU.
  • Gives individuals in the EU stronger rights, empowering them with better control of their data and protecting their privacy in the digital age.
  • Comprehensive reform of the European Union’s 1995 data protection rules to strengthen and unify the protection of data for individuals within the European Union (EU).
  • Addresses the export of personal data outside the EU.
# Description Date
1 Full compliance date May 25, 2018
2 Regulation in force 20 days after publication in EU Official Journal May 4, 2016
3 Adoption by European Parliament April 14, 2016
4 Adoption by Council of the EU April 8, 2016
5 European Parliament's LIBE committee vote positively on outcome of negotiations between the three parties December 17, 2015
6 Negotiations between European Parliament, Council and Commission (Trilogue) result in a joint proposal December 15, 2015
7 European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) orientation vote October 21, 2013

GDPR Services

On-Demand Consulting (ODC) Advisory Services to establish a credible GDPR compliance Program.

Managed Cybersecurity Services Program (MCSP) to monitor and maintain a GDPR compliance program.

Addressing GDPR mandates with the application of the HITRUST CSF.

Comprehensive risk assessment to identify GDPR compliance gaps.

Cybersecurity vulnerability assessment to determine security vulnerabilities.

GDPR cybersecurity strategy workshop (1-day program, delivered at your site).

Policy review and update to address GDPR requirements.

Development of tailored GDPR security procedures.

GDPR Personal Data

  • Personal data - Any data that can be used to identify an individual, including things such as genetic, mental, cultural, economic or social information.
  • Sensitive personal data - Special categories of personal data. For example, the special categories specifically include genetic and biometric data where processed to uniquely identify an individual.

Who Does GDPR Impact?

  • Applies to data controllers and processors at organizations, if the data subject (individual) resides within the EU.
  • Individuals currently subject to DPA, are subject to the GDPR.
GDPR Program

Preparing for GDPR Compliance

  • Establish and document a framework of accountability in your organization.
  • Develop, publish and implement required policies and procedures, and regularly review and update them.
  • Train your workforce members and ensure they understand their obligations related to privacy and security.
  • Conduct a risk assessment and mitigate known vulnerabilities.

GDPR Key Requirements

  • Appointment of Data Protection Officer (DPO).
  • Tightens rules for obtaining consent to use personal information.
  • Requires organizations collecting personal data to prove they have consent from the individual to process the data.
  • Mandatory Privacy Impact Assessments (PIAs), requiring Data Controllers conduct PIAs where privacy breach risks are high, prior to beginning any project involving personal information.
  • Expands liability beyond data controllers to all organizations handling personal data in any way.
Key Requirements

Data Breaches

  • Data Controller under legal obligation to notify Supervisory Authority within 72 hours of discovery of a breach.
  • Reporting of breach not subject to any de-minimize standard.
  • Affected individuals must be notified if adverse impact is determined.


  • Severe financial penalties may apply for non-compliance with requirements of the GDPR.
  • Written warning in cases of first and non-intentional non-compliance.
  • Regular periodic data protection audits.

Trusted by the industry with proven methodology and results


Years of experience


People trained & certified
by ecfirst


Satisfied Customers

In the News

Controls Required for HITRUST Certification, HITRUST Advisory from Ali Pabrai.


Cyber Immune Defense: HITRUST, Featured Presentation by Ali Pabrai at HIMSS Iowa Chapter 2018 conference, November 8, 2018 | Des Moines.

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP (HITRUST) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.