GDPR (General Data Protection Regulation) Services


The General Data Protection Regulation (“GDPR”), designed to protect the rights and data of European Union citizens, took effect May 25, 2018.  This regulation is applicable, regardless of who holds the data or where that data is being held.

GDPR compliance begins with conducting a review now to determine if the GDPR pertains to your current business, and what steps are needed to become compliant. This far-reaching regulation has impacts that are not obvious at first glance. Reviewing client lists and the data is the first step. To achieve GDPR compliance, firms must assess policies and procedures, controls, cybersecurity and technology to determine what changes are needed and how to best implement and monitor them. Oyster Consulting is prepared to help in the following ways:


Frequently Asked Questions:

Who is the GDPR for

GDPR is an EU regulation that is aimed at protecting the data and data rights of EU residents (Data Subjects).

Back to top
Are US companies subject to GDPR?

Ask yourself some basic questions – answering yes to any of these may mean that your company may be subject to GDPR:

  • Do I transact business in the EU? Do I have a physical location in the EU, EU employees or do I transact business in an EU currency? All of these scenarios could indicate you “do business” in the EU
  • Do I have a website that collects data from people within the EU? Do I perform data analytics on people who may have visited my website? Gathering someone’s IP information and retaining it could subject you to oversight.
  • Do I have clients that are located in the EU?
  • Do I have contacts or client prospects in the EU? Any personal information I retain on my prospects could be subject to the rule, and my marketing campaigns need to have a specific legitimate business reason to contact the individual, unless I have express consent. Also, do I retain anecdotal personal information about a spouse or family member?
  • Could I receive an email that I would retain in my data base that includes PII, including just an identifiable email address?
  • Do I import business data in any manner that originates from outside sources, not controlled by me? If so I may be receiving GDPR protected data.

There is another way that data is required to be protected. Businesses that are established in the EU must protect the data of all persons, whether they are residents of the EU or not.

Back to top
What is a data subject?

Data subjects are EU residents. EU citizens living abroad are not. Only people can be data subjects; trusts, companies, business, etc. are not data subjects.

Back to top
What constitutes personal data?

GDPR defines protected data as any information relating to an identified or identifiable natural person. Data relating to businesses are not protected. Some data that falls under PII for GDPR include: Name and Address; Economic Data, like income and transactional data; Racial, sexual orientation, and political data; IP address, browser cookie data; and biometric data like fingerprints. Any data that you have that is tied to an individual should be considered protected data.

Back to top
What is the difference between a data processor and a data controller?

GDPR defines two types of users of data: Controllers and Processors. Controllers are the firm that is in charge of determining how data should be treated. Processors are the firms that conduct processing. GDPR does not allow for controllers to assign any responsibility to processors and leave the controller risk free. Ultimately, Controllers are responsible for their all requirements. GDPR considers data processing to include data retention, use, dissemination, backing-up, and deletion of data. What firms need to understand is that any time that you have data or use it in any meaningful sense, you should expect that to be processing

Back to top
What if I have a data breach?

GDPR requires that you notify the appropriate regulators within 72 hours. At that time, you must be able to identify what data and data subjects were compromised, the consequences/severity of the data, and the actions that your firm needs to take or is taking.

Back to top
How does consent work?

Consent is required for processing that is not in the normal legitimate interest of the business. It must be freely-given, meaning that there can be no change in the business relationship due to the giving or withholding consent. Consent cannot be required to use a service or to be a client. Also, the consent must be specific and unambiguous. When the data subject is giving consent, they must know exactly what they are agreeing to and a layman should be able to read the form and understand exactly what they are agreeing to. Just as consent must be free-given, consent must also be withdrawable. The data subject, AT ANY TIME, must be able to withdraw consent, and your firm must stop processing their data, again with no changes in the business relationship. Consent must be a last resort; you cannot use consent as a legal basis if you are using any other legal basis.

You must track who gave the consent, when that consent was given and what the consent actually was with all consent data. This cannot be kept is some other database; it must be tied directly with the data.

Back to top
What are the fines for non-compliance?

Fines for the most egregious of cases are allowed to be up to the GREATER of 20 million euros or 4% of global revenue. One question that is not addressed in the regulation is how US firms will be fined. GDPR does not directly set up a mechanism for non-EU enforcement.

Back to top
What is the right to erasure?

The right to erasure is commonly called the right to be forgotten. This requires that you delete data at the data subject’s request. You are not required to delete the data if you meet certain requirements, like being legally required to retain the data.

Back to top


Did you miss our webinar “GDPR:  Are You Protecting Your Clients’ Data”? Complete the download form below to view the webinar.



For more information about the GDPR, read our blogs:

GDPR is in Effect – What Now?  – January 15, 2019

GDPR: Impacts on American Firms without EU Clients – March 15, 2018

GDPR – Do You Know Your EU Clients and Are You Ready to Protect Their Data? – February 27, 2018


Learn more and access the webinar: