In 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), which is effective on May 25, 2018. These regulations are much broader reaching than US CAN-SPAM or the Canadian Anti Spam law, and while many view this legislation as a positive step for consumer protection, GDPR introduces new challenges for organizations who collect and process user data of European residents. AAFCPAs’ Business & IT Advisory Practice advises clients regarding GDPR compliance, and provides the below insights regarding what organization’s should do now to prepare.
Who does this affect?
The GDPR applies to all European Union businesses, regardless of size or industry who handle any personal data of users. It also applies to organizations not based within the EU that collect data or monitor the behavior of EU citizens.
How do I comply with GDPR?
GDPR consists of several key parts:
- Privacy: Organizations should only collect user data when it is necessary, and must limit access to data to appropriate individuals.
- Organizations must permanently erase user data upon request.
- Consent: Individuals must explicitly opt in to allowing collection of personal data. Consent may be removed at any time. This differs greatly from practices in the US that require an opt-out option only.
- It is recommended that data be anonymized or pseudonymized to protect user.
To be in compliance with the GDPR, businesses who collect and process personal data of EU residents must follow stringent rules, including (but not limited to):
- Obtaining consent before collecting personal data.
- Offering customers the ability to request all their records be permanently deleted.
- Reporting data breaches within 72 hours.
What is the risk of non-compliance?
The EU authorities have been aggressively pursuing data protection enforcement for years. The new regulation places heavy fines for violations, up to €20 million or 4 percent of global revenues, whichever may be higher. For US companies with a physical presence in the EU, the GDPR may be enforced directly against them. For US businesses that do not have a physical presence, but are actively conducting business in the EU, the GDPR requires that you designate a representative located in the EU.
Finally, European Union regulators will rely on international law to issue fines with the help of US authorities. While there is no defined mechanism in place for this yet, authorities on both sides have a history of working together.
What does AAFCPAs advise?
AAFCPAs urges clients to begin evaluating your user data and IT systems, and identify what data you are storing and where. While we have provided some guidance in this post, it is not intended to be all inclusive.
The GDPR specifies that: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, personal data includes web identifiers such as: email addresses, website cookies, IP addresses, biometric data, and other online identifiers.
We advise clients to begin preparing now, if you have not already, for the May 25th effective date so you may understand the impact of the new standard on your business, and develop an implementation schedule to appropriately allocate your resources and achieve compliance.
AAFCPAs’ Business & IT Advisory practice evaluates clients’ processes and systems readiness for compliance with GDPR. For more information please contact your AAFCPAs Partner, or James Jumes, leader of AAFCPAs’ integrated business & IT advisory practice at: 774.512.4062 or firstname.lastname@example.org.