GDPR Compliance for U.S. Companies

The General Data Protection Regulation (GDPR) is without question a watershed moment in the world of regulatory compliance, especially for U.S. companies. While numerous laws and legislative edicts of the past have placed heavy financial and operational burdens on businesses in the U.S. – such as HIPAA, Sarbanes-Oxley, PCI DSS, and others – GDPR now becomes yet another strict regulation in what’s becoming an increasingly long-line of compliance rulings.  GDPR compliance for U.S. companies has hit our shores, so it's time to get serious about data privacy and security - FLANK can help. 

As a U.S. business, do you store, process and/or transmit personal data for data subjects that reside in the European Union (EU)? An answer of yes, or even a slight hint or acknowledgement that your business may in fact support such activities relating to personal data of EU data subjects will ultimately require some form of compliance with the GDPR.  Here's the point to make; GDPR compliance for U.S. companies is going to be mandatory "if" you handle EU personal data.

Businesses of all types, industries, and sizes throughout the globe – and especially in the U.S. – are operating across borders, providing essential services and solutions to various countries. With globalization increasing, the demand for ensuring the safety and security of consumer data – and other supporting information – has now become a primary concern for all, and understandably so.

Cybersecurity threats and attacks are on the rise, data breaches are increasing at alarming rates, and businesses are facing growing insider threats – realities of the new digital world we all live in.

Jump Ahead To A Specific Section Of Our GDPR Guide:

US Businesses Will be Impacted by the GDPR

Enter GDPR compliance for U.S. companies, a massive piece of legislation aimed at promoting the core tenants of data security, privacy, accountability, rights for data subjects, and more. It’s not a singular law focused on one specific aspect, rather, a broad-based mandate that requires a consortium of business requirements – and best practices – to come together in a unified fashion. It “can” be daunting, no question about it, and its why FLANK – a recognized leader in providing comprehensive security, governance, and compliance solutions for U.S. and EU businesses – has dug deep into the GDPR fine print, offering a detailed overview and analysis.  What makes FLANK different from other provides when it comes to the GDPR solutions?

We know technology inside and out. We have a massive repository of policies and procedures. We have competent legal counsel with deep regulatory knowledge. Want to learn more? Email us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about how we can help your business succeed.

Getting to Know the Core Pillars of the GDPR

The GDPR is far-reaching indeed, particularly when it comes to its core pillars of (1). Principles, (2). Accountability, (3). Rights of the Data Subject, (4). Obligations, (5). Technical and Organizational Measures, (6). Documentation, and (7). Additional Legal, Administrative, and Operational GDPR Requirements. There’s no one real single, dominant requirement within the GDPR, rather, a consortium of initiatives that bring together many of today’s information security, operational, legal, and technical best practices.

GDPR “Principles”

Regarding “Principles”, Articles 5, 6, and 7 – and others – speak to the importance of “lawfully, fairly, transparent, accurate, consent”, and more – edicts that echo strict requirements for controllers and processors regarding personal data for data subjects. More specifically, these Articles require the following:

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate and relevant.
  • Accurate
  • Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Processed in a manner that ensures appropriate security.

Additionally:

  • The data subject has given consent to the processing.
  • The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  • The data subject shall have the right to withdraw his or her consent at any time.

It’s clear that the GDPR has a clear goal in mind – protecting the rights of data subjects at all times with a strict set of guidelines that must be adhered to by controllers and processors. It’s about putting power in the hands of people, where rights and privileges of citizens come first. The GDPR clearly realizes that any type of processing by such controllers and processors creates risks for data subjects’ personal data, and as such, the need for establishing comprehensive controls for data protection and privacy is critical. Welcome to the new world of global compliance with the GDPR, a groundbreaking piece of legislation by many accounts.

GDPR and “Accountability”

Regarding “Accountability”, per Article 5(2), “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”, which essentially implies compliance with the aforementioned “Principles” information. Article 5(2) may only be a single sentence, but it’s implications are far-reaching indeed as compliance with paragraph 1 requires a business to implement comprehensive information security, operational, and privacy policies, procedures, and processes. With so many Article and requirements in place, it can seem challenging to even find a starting point, which is why GDPR compliance for US companies and EU entities begins with a Scoping, Readiness & Gap Analysis from FLANK.

GDPR and “Rights of the Data Subject”

Regarding “Rights of the Data Subject”, the GDPR dedicates an entire chapter (Chapter 3), which includes Articles 12 to 23 on this very topic, underscoring the critical importance of the various rights of individuals. Central to the rights for data subjects are the following:

  • Right of access, specifically, the purposes of processing of personal data and the respective categories of data, whom such data will be disclosed to, the right to log complaints, and more [Article 15(1)].
  • The right of rectification of inaccurate data [Article 16].
  • The right to erasure/right to be forgotten, for which controllers are obligated to erase personal data without undue delay [Article 17].
  • The right to restriction of processing of data if certain conditions apply, such as if the accuracy of the personal data is contested, processing is unlawful, and the data is no longer needed for processing. [Article 18(1)].
  • The right to portability, specifically, the ability to receive personal data in a structured format for which data subjects can satisfactorily transfer such data from one controller to another [Article 20(1)].
  • The right to object to processing of personal data based on stated provisions within the GDPR [Article 21].

Each of the respective rights for data subjects place heavy burdens on controllers – and processors, where applicable – for meeting such rigorous requirements. Therefore, a heavy investment will need to be made into developing policies, procedures, and processes regarding rights of data subjects. Specifically, documented policies and procedures should clearly illustrate the GDPR requirements and the relevant steps to perform by controllers and processors for enacting such rights.

For example, what processes and procedures do you have in place for erasing personal data when the right to erasure is invoked by data subjects? What tools and technologies are used for ensuring data subjects can and ultimately do receive their data in a usable, structure format should they invoke the right to data portability? Lastly, from a scope perspective, what other third-parties are involved in facilitating such activities, and what are their respective processes and procedures regarding rights of the data subject?

GDPR and “Obligations”

Regarding “Obligations”, the GDPR in Article 1(1) states that “This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” Therefore, the very rules within the GDPR contain a wide-range of obligations for ensuring the safety and security of data subjects’ personal data being processed. Simply stated, the burden of compliance is on controllers and processors – not data subjects - so welcome to the new world of regulatory compliance for untold numbers of businesses throughout the globe.

Data subjects have specific rights – quite a few, to say the least – which translates into obligations that must be met by controllers and processors. Do you have documented policies and procedures in place for information security, data privacy, incident response, and more? Do you have formalized processes on hand when it comes to executing on any number of requirements for data subjects, such as removing data, providing data for “portability”, and other measures? While the GDPR may not provide an actual prescriptive list of obligations in line item checkbox format, it’s quite obvious that much must be done for ensuring compliance is met when interpreting the subject matter within Article’s 24 to 31, which list general obligations for controllers and processors. Notable highlights of these Articles consist of the following:

  • Implement appropriate technical and organizational measures for meeting various requirements (Article’s 24 and 25).
  • When processing is to be carried out on behalf of a controller, the controller is to only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR (Article 28). The best place to start for beginning one’s GDPR compliance endeavors is a GDPR Readiness & Gap Assessment. Contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about GDPR compliance for U.S. companies and EU entities. 

GDPR “Technical and Organizational Measures”

Regarding “Technical and Organizational Measures”, a core concept illustrated within various Articles of the GDPR, particularly in Article 32 – controllers and processors will have to ensure adequate levels of security are in place for ensuring the confidentiality, integrity, availability – and more, of processing and other related activities. Four brief words – “technical and organizational measures” – that are creating considerable debate and massive security responsibilities for controllers and processors. What’s making the interpretation challenging is two-fold; first, it seems as if scores of professionals from different business sectors (i.e., legal, InfoSec, H.R, etc.) are offering up their opinion of what’s required for “technical and organizational measures”. Second, the phrase itself is rather vague in terms of compliance as the GDPR does not provide strict requirements for implementation, rather, only offering up a brief list of guidelines within Article 32.

The following serves as helpful guidance for the all-important implementation of “technical and organizational measures”:

If it’s about Information Security, look to ISO 27001/27002

Understand that such a phrase (again, while only a mere four words) serves as the basis for information security for the GDPR, therefore, controllers and processors need to think long and hard about the type of InfoSec framework – if any – they have in place. Because the GDPR originated from the EU, a large number of businesses will ultimately be viewing the ISO 27001/27002 framework as a natural springboard for Article 32 compliance, and rightfully so. When ISO 27001/27002 is properly implemented, it results in the adoption of an Information System Management System (ISMS) that includes a healthy number of information security policies, procedures, and processes – all of which are documented.

Dig deeper and ISO27001/27001 – specifically the controls found in the ISO 27001 Annex and the identical stand-alone controls in ISO 27002 – encompass many of today’s InfoSec best practices – access control, encryption, audit logging, incident response, BCDRP, and so much more. This in turn allows controllers and processors to confidently meet core provisions relating to the concept of “technical and organizational measures” found within the GDPR.  

Download the GDPR Mapping to ISO 27001/27002 Matrix and the GDPR Compliance Requirements and Overview Matrix to learn more about the need for documented GDPR policies and procedures.

NIST SP 800 is a More than Acceptable Framework

Don’t have an ISMS in place, or any policies and procedures specific to ISO 27001/27002 – not a problem. Again, with no specific mandate for adopting a prescriptive InfoSec framework, controllers and processors have options indeed, so consider the NIST SP 800 series of publications, especially NIST SP 800-53. In fact, many North American businesses unfamiliar with ISO 27001/27002 have instead adopted the security controls within NIST SP 800-53, and for very good reason as 800-53 is considered one of the most comprehensive, in-depth and well-respected security frameworks in the world. In fact, many U.S. regulations require compliance with NIST SP 800-53 – FedRAMP, FISMA, DFARS 800-171, and more – so it’s logical to adopt and implement a known framework. With a lengthy list of families of controls included within NIST SP 800-53, it’s logical to confidently assume that implementation of 800-53 requires coverage for the GDPR “technical and organizational measures”.

What about Stand-alone Security documents with no Prescriptive Framework?

Not a problem, and why should it be, so long as controllers and processors have in place a mature set of InfoSec and operational controls that can meet or exceed the threshold for “technical and organizational” measures. Think about it, what’s the real difference between a non-prescriptive framework encryption policy, an access control policy – or any other InfoSec domain policy – from a policy developed in accordance with ISO 27001/27002, NIST SP 800, or another framework? Marginal at best, especially if you’ve covered the core elements within each InfoSec domain.

GDPR and the Need for “Documentation”

Regarding “Documentation”, it’s well-known in today’s world of regulatory compliance that policies, procedures, and other supporting materials, are an incredibly important – and time-consuming – process. First, if you’ve adopted either the ISO 27001/27002 and/or the NIST SP 800 framework, then you’ve undoubtedly developed an almost laundry list of information security policies and procedures. If no framework is in place, then controllers and processors will need to look at either (a). adopting one, or (b). developing stand-along InfoSec and operational policies and procedures.

Remember, however, that documentation is not just limited to information security, it also requires coverage for various legal, H.R., and operational areas. Therefore, consider the following:

  • Do you have documented privacy policies and procedures in place that illustrate your rights and obligations for ensuring the safety and security of data subjects’ personal data?
  • Do you have documented vendor management policies and procedures in place for ensuring all relevant third-parties have adequate controls in place for safeguarding data subjects’ personal data?
  • Do you have documented risk management policies and procedures in place for assessing risks, threats, and other issues that could impact the safety and security of data subject’s personal data.

Such documents, and many more, are a strict requirement for the GDPR, and just another example of documentation above and beyond having just InfoSec policies in place. Speaking of information security, a best practice is to have the following core set of InfoSec policies and procedures & forms in place, many of which are covered within the ISO 27001/27002 and NIST SP 800 frameworks:

  • Access Control
  • Anti-Virus and Anti-Malware
  • Asset Inventory
  • Change Control | Change Management
  • Configuration Management
  • Data and Information Classification
  • Data Backup and Recovery
  • Database Policy
  • Encryption & Key Management
  • Firewall Policy
  • Incident Response
  • Internet Usage Policy
  • Remote Access Policy
  • Removable Media Policy
  • Security and Patch Management
  • Software Development Life Cycle
  • Vendor Management
  • Virtualization Policy
  • Vulnerability Management
  • Web Server Security Policy
  • Wireless Security
  • Workstation Security
  • User Provisioning
  • User De-Provisioning

FLANK offers a wide range of professionally developed compliance documents available for instant download today for meeting stringent GDPR compliance mandates. Download the GDPR Mapping to ISO 27001/27002 Matrix and the GDPR Compliance Requirements and Overview Matrix to learn more about the need for documented GDPR policies and procedures.Contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Additional GDPR Compliance Requirements

Regarding, “Additional Legal, Administrative, and Operational GDPR Requirements”, this is a government regulation, so except to see a plentiful list of other stipulations – that’s just the nature of regulations. Additional subject matter you’ll need to be aware of consists of the following:

Codes of Conduct in GDPR

There’s a push within the GDPR to have member states, supervisory authorities to “encourage” codes of conduct for ensuring a degree of harmonization is in place with respect to processing of personal data safely and securely. The intent is understandable, yet it’s still unclear how such a measure would be implemented, to what degree, for what industries, and more. Again, we’re in the early stages of the GDPR, so expect clarity and maturity for the respective Articles as the law begins to take effect. For now, controllers and processors should look to see if any type of “codes of conduct” are being discussed within the member state community, and if so, what action must be taken.

There’s also the possibility of industry specific “codes of conduct”, so look to your existing associations and governing bodies for guidance on this matter. With the GDPR being such an overwhelming legislative mandate filled with required initiatives, it’s unclear when Article’s 40 and 40 will rise to the top of importance, due in large part that “encourage” does not mean required.

Will there be Certification for the GDPR?

There most certainly will be, but remember that certification is voluntary and non-certification does not mean non-compliance with the GDPR. The Member States, the supervisory authorities, and other parties are advised to “encourage” the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance. In today’s world of regulations, certifications often stand-out as a way for demonstrating compliance, so there’s value to be had for sure.

Additional benefits of GDPR certification allow start-ups and small medium businesses (SMB) to showcase compliance with an industry approved assessment/mechanism process, along with possibly reducing costly oversight by regulatory authorities in member states, and other relevant bodies. Additionally, certification will also help speed up due-diligence initiatives for which organizations are undertaking when considering possible business partners. Controllers seeking to gain a stronger understanding of processors’ internal controls in relation to GDPR can gain confidence with certification measures in place.

Probably the two biggest questions regarding certification are: who will certify, and what will be certified?

As of this writing, certification bodies/organizations are still in their infancy, but that will surely change as the time passes and the GDPR gains maturity and adoption with the broader global business market. As to what will be certified, the GDPR states that the object of certification is for “processing operations”, which can essentially mean a product, system, service, function, an organization’s overall processes and/or privacy programs, etc. Additionally, whatever the scope of the certification for the GDPR, it should be clear and concise for ensuring no ambiguity, as controllers and processors will want to avoid any type of market confusion and misrepresentation.

When discussing certification, the GDPR uses the following terms of “certifications, seals, and marks”, which should be looked upon as equivalent in terms of use and application within the broader aspect of becoming certified. In essence, such terms all mean the same and or interchangeable.

Transfers of Data

Per Article 45 of the GDPR, any transfer of personal data for processing to a third country or to an international organization can only take place only if specific conditions are complied with by the controller and processor. In keeping with the true spirit of the GDPR, it’s vitally important that any controllers, processors, and other relevant third-parties located in third-countries or international organizations do all they can for ensuring the safety and security of personal data for EU data subjects. This in return requires the following:

  • Adequate levels of protection must be in place.
  • In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards.
  • The competent supervisory authority is to have approve binding corporate rules in place.
  • Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable if based on an international agreement.
  • Transfers of data can only take place if certain conditions are met.
  • The Commission is working to develop international cooperation with third countries and international organizations in regarding the GDPR. This is a clear signal that the GDPR is not just limited to the border of EU countries.

Independent Supervisory Authorities

Regarding “Independent Supervisory Authorities”, each Member State is to provide what the GDPR refers to as “…one or more independent authorities…” responsible for monitoring the application of the GDPR itself. Such monitoring will require cooperation and collaboration with the Commission and other Member States for ensuring the overall success of the GDPR. Additionally, supervisory authorities are to act independently in performing tasks, which essentially means remaining free from external influence. Moreover, Article’s 53 to 59 discuss additional provisions relating to the broader subject of “Independent Supervisory Authorities”, such as rules, competence, tasks, powers, and activity reports.

Cooperation and Consistency

Article’s 60 to 76 speak to the need for “Cooperation and Consistency” within the GDPR, specifically, the cooperation of all parties involved with enforcing, monitoring, and implementing what’s become arguably the most far-reaching global legislative mandate ever seen. Subject matter within the various articles for “Cooperation and Consistency” include mutual assistance, consistency, dispute resolution, scope and tasks of the Chair, and more. The vast majority of this subject matter is administrative in nature, void of any meaningful requirements for controllers and processors.

Remedies, Liabilities, and Penalties, Provisions, and Acts

Article’s 77 to 84 discuss the following remedies, liabilities, and penalties for which controllers and processors need to be aware of:

  • Article 77-Right to lodge a complaint with a supervisory authority
  • Article 78-Right to an effective judicial remedy against a supervisory authority
  • Article 79-Right to an effective judicial remedy against a controller or processor
  • Article 80-Representation of data subjects
  • Article 81-Suspension of proceedings
  • Article 82-Right to compensation and liability
  • Article 83-General conditions for imposing administrative fines
  • Article 84-Penalties
  • Article’s 85 to 99 discuss various provisions and acts for which controllers and processors need to be aware of.

Take the Next Steps Toward GDPR Compliance Now!

GDPR compliance is a massive piece of legislation requiring considerable resources for becoming – and maintaining – compliance. Controllers and processors will quickly find that they need competent, professional consultants for assisting through all phases of GDPR compliance. Taking the next step means being aware of the huge responsibilities that lie ahead with the GDPR, while also beginning to put in place a roadmap for meeting all necessary milestones for compliance, and this can be challenging indeed. Here’s how FLANK can assist with GDPR compliance for U.S. companies, EU businesses and all other entities throughout the globe:

  • Begin with a GDPR Readiness & Gap Assessment: Understanding GDPR scope, gaps and deficiencies, and next steps to take for becoming fully compliant is what controllers and processors can expect in terms of deliverables from FLANK’s GDPR readiness & gap assessment activities.
  • Download the world’s most in-depth GDPR Checklist: Because of the size and complexity of the GDPR, controllers and processors would benefit from an incredibly comprehensive, easy-to-use and understand GDPR checklist, which if what FLANK offers for download today at flank.org.
  • Get Your Very Own GDPR Data Protection Impact Assessment (DPIA) Template: Need to perform a Data Protection Impact Assessment (DPIA), then download FLANK’s DPIA template, an in-depth MS Word document that’s been developed by cybersecurity and privacy professionals.
  • Access the Very Best GDPR Policy Templates & Toolkits: Documentation is one of the most demanding aspects of compliance with the GDPR, and FLANK has labored long and hard in developing high-quality, industry leading information security, operational and privacy policies, procedures, forms, templates, and other supporting materials for controllers and processors.
  • Why FLANK for all your GDPR Compliance Needs: Because we have expertise across business sectors – I.T., legal, H.R., operations, information security, and more – a rare find in today’s professional services firms. Want to learn more about GDPR compliance, then contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

Start with a GDPR Readiness & Gap Assessment

FLANK’s GDPR readiness & gap assessment services provide controllers and processors with a crystal-clear look into their operations and the supporting internal controls needed for ensuring GDPR compliance is met. With a proven team by your side every step of the way, FLANK’s GDPR readiness & gap assessment services consist of the following:

  • Assessing GDPR Scope: The GDPR is a massive piece of legislation with many moving parts, so it’s important that controllers and processors know what they’re up against in terms of compliance, which ultimately begins with assessing scope. Questions that we get answers to during this process include the following:
    • What types of personal data for data subjects are being stored, processed, and transmitted?
    • What third-parties are also considered in scope for the GDPR, why, and do they have proper controls in place?
    • What internal and external personnel will be involved in working with FLANK during and after the GDPR readiness & gap assessment activities?
  • Assessing Operational Controls: The operational aspects of GDPR compliance are far-reaching indeed as controllers and processors need to ensure that various H.R., legal, privacy, and other prescriptive requirements are met for compliance. For example, do you have privacy policies in place, processes and procedures for correcting and erasing personal data, well-documented incident response initiatives for responding to incidents and possible breaches? These are just a few examples of the depth of FLANK’s activities during a GDPR readiness & gap assessment.
  • Assessing Information Security Controls: Per Article 32, “…the controller and the processor shall implement appropriate technical and organizational measures…”. FLANK will do a deep dive into your information security processes and procedures, determining what framework – if any – you have in place, and what areas within the broader application of InfoSec will require remediation for the GDPR.
  • Assessing Documentation: Policies and procedures are a heavy mandate for the GDPR, much like many of today’s regulations, and once again, controllers and processors are struggling immensely with such requirements. FLANK, the world’s leading provider of GDPR policies and procedures, can quickly identify what gaps and deficiencies exist within your documentation, providing expert guidance on remediation.

Download the GDPR Compliance Checklist

Because of the enormous scope of the GDPR, controllers and processors would benefit from a well-documented, easy-to-use and implement checklist for the General Data Protection Regulation. FLANK has developed what’s without question the most comprehensive GDPR checklist found anywhere today, and it’s available for download today at flank.org. Our GDPR checklist for controllers and processors contains the following:

  • Complete coverage of all essential GDPR articles with corresponding questions and fields for providing detailed answers.
  • Easy-to-use and implement MS Word document for both controllers and processors seeking GDPR compliance.
  • Exhaustively researched and developed by global privacy, information security, cyber, and legal/H.R. professionals.
  • Available for download today, along with other essential GDPR documentation, at flank.org.

Do You Need to Perform a DPIA for GDPR? Find Out Now.

What’s a Data Protection Impact Assessment (DPIA)? According to Article 35 of the GDPR, it’s a “a systematic description of the envisaged processing operations and the purposes of the processing…by the controller.” More simply stated, it’s about assessing one’s business, legal, privacy, operational, and technology controls (i.e., policies, procedures, processes, and practices) relating to the safety and security of personal data for EU data subjects for which [company name], and its related affiliates, process. Do you need to perform one? The answer is yes in the case of the following:

  • (a). Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • (b). Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  • (c). A systematic monitoring of a publicly accessible area on a large scale.

Download Data Protection Impact Assessment (DPIA) Template

Still unclear if you meet the above criteria, then download FLANK’s simple three-page Data Protection Impact Pre-Assessment (DPIPA) Determination Matrix template for determining if a DPIA is needed. If you need to perform a DPIA, we offer a professionally developed, industry leading Data Protection Impact Assessment (DPIA) template available for instant download. The DPIA template contains all necessary information for performing this critical task as mandated by the GDPR. With an easy-to-use and customize MS Word template, controllers and processors can quickly complete a much-needed DPIA and report all relevant findings to requested parties. The Data Protection Impact Assessment templates is just one of many documents developed exclusively for the GDPR by FLANK.  GDPR compliance for U.S. companies is a must if you process personal data for EU Data subjects, which means you'll most likely have to perform a DPIA. 

Download GDPR Policy Templates & Toolkit Today

Compliance with the GDPR requires a tremendous amount of documentation – no question about it – and FLANK delivers by offering world-class policies and procedures for controllers and processors seeking the very best templates and toolkits found anywhere. With FLANK, you’ve got the following options when it comes to GDPR documentation:

  • ISO 27001/27002: 2013 All-in-One Toolkit: Controllers and processors can utilize FLANK’s ISO 27001/27002: 2013 All-in-One Toolkit containing hundreds of pages of information security policies, procedures, and more. What better way to meet Article 32 requirements of the GDPR by developing and implementing an Information Security Management System (ISMS) with our world-class documentation available for instant download.
  • GDPR Compliance All-in-One Toolkit: If you’re looking for what’s arguably the very best set of policy documents for becoming compliant with the GDPR, then look no further than the world-class GDPR Compliance All-in-One Toolkit from FLANK. From privacy policies to information security templates, incident response plans, and more, the GDPR All-in-One Global Compliance Toolkit delivers a regulatory homerun.
  • Dozens of Additional Policy Templates & Toolkits: FLANK also offers a wide-range of information security policies and toolkits for businesses seeking to implement best practices for various regulations and standards. We also offer stand-alone policy templates and toolkits that are non-framework driven, yet still meet the requirements for high-quality, professionally developed InfoSec documents. With FLANK’s policy templates and toolkits, you get it all, and instantly with our convenient download options.

GDPR Compliance Consulting with FLANK

The GDPR is not a one-dimensional regulation, rather, it contains numerous Articles that require H.R., privacy, operational, InfoSec and legal expertise, and more. FLANK is a leading provider of solutions for the GDPR compliance requirements, offering expertise in all subject matter relating to the General Data Protection Regulation, so contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.  When it comes to GDPR compliance for U.S. companies, FLANK can help.

  • The World’s Leading Provider of GDPR Compliance Policies, templates, and documents.
  • Highly specialized compliance consultants who truly understand all aspects of the GDPR.
  • Recognized information security and cybersecurity specialist with years of global compliance expertise.