This website uses cookies. View our cookie policy
Select regional store:

Data protection/EU GDPR compliance

On May 25, 2018, the EU General Data Protection Regulation (GDPR) superseded all EU member states’ national data protection laws, which were based on the 1995 Data Protection Directive (DPD). The Regulation introduces a number of key changes for organizations that process EU residents’ personal data, including new rules on international data transfers, documenting data processing activities, performing data protection impact assessments, and appointing data protection officers.

For US organizations, the most significant change concerns the GDPR’s territorial reach. Under the DPD, organizations without a physical presence or employees in an EU territory had one main compliance issue to deal with: how to legally transfer data out of the EU. The EU-US Privacy Shield provides such a mechanism for compliance.

The GDPR takes a different and more substantive approach. Even if the data is collected by an organization operating entirely outside the EU, it is governed by the Regulation if the data relates to the offering of goods or services to EU residents or to monitoring their behavior. Additionally, US organizations without a physical EU presence must appoint a GDPR representative based in a member state.

Almost all US organizations that collect or process data relating to individuals in the EU are required to comply.

Non-compliant organizations face considerably greater penalties under the Regulation than under previous data protection laws – up to 4% of annual global turnover or €20 million (approximately $23 million), whichever is greater. In addition, data subjects have the right to seek judicial remedies against data controllers and processors, as well as the right to obtain compensation for damages occurring as a result of GDPR breaches.

If you’re undertaking a GDPR compliance project, IT Governance can provide everything you need.



For general information about the GDPR, visit our dedicated GDPR page >>
or read our handy infographic >>


Green papers

For more in-depth information about the GDPR, download our free green paper, EU GDPR: A compliance guide.



IT Governance’s webinars cover a variety of topics, such as cyber security, the GDPR, ISO 27001, and IT service management, and all of our webinar resources can be downloaded for free.

Click here to watch the recordings of our latest webinars >>


Products and services

Top tip:

The GDPR encourages the adoption of certification schemes as a means of demonstrating compliance.

An ISO 27001-compliant ISMS (information security management system) should be the starting point for all organizations seeking to demonstrate that they have implemented these measures.

Find out more about ISO 27001 >>


The GDPR states that data controllers must implement "appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation."

These measures must include the implementation of appropriate data protection policies, and controllers may use adherence to approved codes of conduct or management system certifications "as an element by which to demonstrate compliance with [their] obligations."

Here are a few ways we can help you achieve GDPR compliance.

  • Consultancy

    The GDPR encourages the adoption of certification schemes as a means of demonstrating compliance. Our consultants have over a decade’s experience of information security management and data protection projects.

  • Documentation toolkits

    EU GDPR Documentation Toolkit

    Creating documentation for a management system is never easy. Fortunately, IT Governance’s documentation toolkits contain fully customizable templates that have been written and field-tested by our consultants.

    This toolkit provides the customizable documents, policies, and procedures essential for any organization seeking to achieve compliance with the GDPR.
    Click here for more information about the GDPR toolkit >>

  • Penetration testing

    Regular penetration testing is the most effective way of demonstrating that exploitable vulnerabilities in your company’s Internet–facing applications and infrastructure have been identified, and it allows you to apply appropriate mitigation.

    Click here for more information about penetration testing >>

  • Software

    Simplify GDPR compliance with software that streamlines processes, saves time, and reduces costs.

    Choose from:

    • Data Flow Mapping Tool
      To comply with the GDPR, organizations must understand the personal data they process. To do so, it’s necessary to create a data flow map. The Data Flow Mapping Tool simplifies the process of creating data flow maps, making them easy to review, revise, and update as your organization evolves.
      Click here for more information about the Data Flow Mapping Tool >>

    • Compliance Manager
      Comply with all of the relevant legal and regulatory requirements of the GDPR. Designed to help users keep track of their compliance with applicable laws and regulations, Compliance Manager is a comprehensive tool for managing information security and data protection requirements.
      Click here for more information about the Compliance Manager >>

  • Training

    Delivered by experienced data protection consultants, our GDPR training sessions are built on the foundations of our extensive practical experience advising on compliance with data privacy laws.

    Choose from:

    • Certified EU GDPR Foundation
      This one-day course provides a comprehensive introduction to the EU GDPR and a practical understanding of the implications and legal requirements for US organizations of any size. Delegates who pass the included exam gain the EU GDPR F qualification from IBITGQ.

      Available as:

      Classroom Course >>

      Live Online >>

      Distance Learning >>


    • Certified EU GDPR Practitioner
      This four-day advanced-level course aims to help delegates fulfill the role of data protection officer (DPO) under the GDPR and covers the Regulation in depth, including implementation requirements, the necessary policies and processes, and important elements of effective data security management. Delegates who pass the included exam gain the EU GDPR P qualification from IBITGQ.

      Available as:

      Classroom Course >>

      Live Online >>

      Distance Learning >>

    Book the combination Foundation and Practitioner training courses together and save 15%.

    Find out more about our training courses >>


Contact us

To discuss your EU GDPR requirements, please call us on (877) 317-3454 or email