If you anticipate or are currently transacting commerce with EU consumers, you will need the ability to perform a Personal Data Risk Assessment with Expresso.
HIPAA Survival Guide Subscription customers may purchase GDPR with Expresso as an ADD-ON for a one-time cost of $495.95 with no increase to your renewal fees.
Click here for more information and to purchase GDPR with Expresso ADD-ON.
Non-subscription clients may purchase Expresso with GDPR Subscription that includes GDPR Products for $1,295.95.
Click here for more information and to purchase Expresso with GDPR Subscription.
If you have any questions, please contact us at [email protected] or call (800) 516-7903
Expresso® was designed to manage more than one compliance regime. We are now delivering on that promise. Our competitors' products were narrowly focused on HIPAA and they have no easy path to migrate their offerings to other regimes. This includes smaller competitors and those that come with a more hefty price tag. None are delivering the kind of innovation that Expresso® represents.
We have rationalized the GDPR risk assessment in a more streamlined manner because GDPR is even less prescriptive than HIPAA. Our decade of experience provides you with a foundational list of 10 Essential Controls that any compliance regime requires. We introduced the Compliance Stack™ as a way to explain this groundbreaking innovation to the marketplace.
An introduction to the GDPR's 10 Essential Controls that are included in Expresso follows:
1. Risk Management: This Control encompasses the entirety of an entities Risk Management program ("Program"), including Risk Assessments and implementing additional Security Controls ("Controls") that reduce Risks to levels that are "reasonable and appropriate."
2. Incident Management: There can be no effective Risk Management Program, including but not limited to Breach Notification, of security incidents are not tracked.
3. Inventory (Security Objects): Controls are applied to Security Objects (e.g. most think in terms of an asset inventory but the term encompasses much more than that).
4. Administrative: Compliance is a multi-disciplinary subject matter domain that requires a skillset far greater than technical acumen.
5. Authentication: The ubiquitous nature of smart phones has led to widespread use of two-factor authentication by most large organizations including banks, brokerages, and of course all the major technology firms.
6. Breach Notification: Breach notification, under every compliance regime where it is applicable, has become the 800-Pound-Gorilla that drives enforcement. Such is the case for HIPAA and we expect this same Gorilla to dominate GDPR enforcement. Large Breaches attract the attention of regulators.
7. Disaster Recovery: Disaster Recovery is yet another meta-control because it encompasses much more that data backups. Of course, backing up your protected data, and all your data for that matter, is mission critical.
8. Audits: Measurement against a baseline of a compliance regime's requirements is the only level of granularity that matters during an audit.
9. Technical Controls: This is another meta-control that of necessity must be treated as such because it is where the most innovation is currently occurring in cybersecurity defenses (i.e. for the moment we are discounting the importance of process innovations because they are so little understood). What we enumerate here as sub-controls are the basics, the most important of which is encryption.
10. Physical Controls: Physical Controls are such a no-brainer that they often go overlooked because of our obsession with technology.
GDPR PRODUCTS AND SUBSCRIPTION
GDPR Products are available on the HIPAA Survival Guide Store. They include:
- GDPR ADD-ON for Existing Clients;
- GDPR with Expresso Subscription Plan;
- GDPR Overview and 10 Step Implementation Training;
- GDPR Breach Notification;
- GDPR Model Security Policy;
- GDPR Privacy Policies;
- GDPR Model Notice of Privacy Practices; and
- GDPR Combo Package.
GDPR products can be purchased as a subscription or individually (including the Combo Package).
We recommend that you have at least four basic policies in place: (1) a Notice of Privacy Practices (outward facing); (2) a Privacy Policy; (3) a Security Policy; and (4) a Breach Notification Policy (collectively "Policies").
NOTICE OF PRIVACY PRACTICES ("NOPP")
Your GDPR NOPP is similar to covered entities NOPP under HIPAA, except you need to provide access to it in places where Data Subjects would expect to see it.
Your Privacy Policy is an internal facing document and contains your organization's intentions vis-a-vis protecting the confidentiality of Personal Data. It should contain information about your Data Protection Officer (or Representative) and how you intend to resource this position.
Surprisingly there is only one Article in the GDPR (Article 32) that deals directly with security. It's not that security is not important under the GDPR, it obviously is; rather, it's that the emphasis on Privacy dominates.
The GDPR introduces Breach Notification into the EU for the first time. Given what we have witnessed under HIPAA (post the HITECH Act) Breach Notification will also emerge as the GDPR's 800-pound Gorilla.
If you have any additional questions regarding GDPR Compliance, please contact us via email at [email protected] or by telephone at 800-516-7913.
Comments