Skip to content


Understanding GDPR Compliance in the US: The Four Cornerstones of GDPR

By: Tim Foley

GDPR Post image

Table of content

The General Data Protection Regulation goes into effect on May 25, 2018. To help you understand the many facets of this massive legislation and its potential impact, you may find it helpful to split this regulation into “The 4 Cornerstones of GDPR” as shown below.  By carving this regulation into 4 logical components/quadrants, it may help you ask yourselves the right leading questions to better understand your functional requirements.  The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation that was introduced by the European Union (EU) to protect the personal data and privacy of EU citizens. The GDPR is built on four main cornerstones:

  1. Lawfulness, Fairness, and Transparency: Organizations must process personal data in a lawful, fair, and transparent manner. This means they need a valid legal basis for processing personal data, they must inform individuals about how their data will be used, and they should ensure that their data processing practices are fair.
  2. Purpose Limitation: Personal data should only be collected and processed for specific, explicit, and legitimate purposes. Organizations should not use the data for purposes that are incompatible with the original reasons for which the data was collected.
  3. Data Minimization: Organizations should collect and process only the minimum amount of personal data necessary to achieve the intended purpose. This principle encourages limiting the scope of data collected to reduce risks associated with data breaches and privacy violations.
  4. Accuracy and Data Quality: Personal data should be accurate, up-to-date, and kept in a form that allows individuals’ identification only for as long as necessary. Organizations are responsible for maintaining the accuracy of the data they process and ensuring that inaccurate or outdated information is rectified or erased.

The Global Data Protection Regulation, or GDPR, is a less ‘prescriptive’ regulation than we in the United States are typically used to, which is contributing to some of the confusion around achieving compliance with the new regulation.  Typically, many US-born compliance and regulations provide great detail and context around the types of scans, minimum requirements, and data artifacts necessary for successful audit outcomes.  By contrast, GDPR has largely given us the ‘end state’ of what your organization must be able to do… how you achieve that ‘end state’ is up to each individual organization given their individual process workflows and other business drivers.  

 As with almost anything, some prefer it better, and some do not, but regardless of preference, this new regulation protecting the privacy rights of EU citizens goes into effect on May 25th, 2018.  If you are an organization that is bound by this new regulation, it is important to take active measures towards meeting the four cornerstones of GDPR in the US, as described above.  

And if you are looking for an information security partner to help your business become more resilient in an ever changing and risk-aware world, read about our Managed Cyber Security Services to find out more about how Dataprise’s information security services can help you achieve those goals.

Recent Tweets


Want the latest IT insights?

Subscribe to our blog to learn about the latest IT trends and technology best practices.