General Data Protection Regulation (GDPR) Requirements, Deadlines and Facts
With so much abundant information out there, let us start with the facts related to GDPR.
What is the GDPR?
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” [i]
Who does the GDPR affect?
“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”[ii]
What constitutes personal data?
Any information related to a natural person or ‘Data Subject that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.[iii]
Other Key GDPR articles
Right to be forgotten / right to erasure, gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations.
Data Controllers will be required to erase data “without undue delay” when the data is no longer necessary in relation to the purpose for which it was gathered or processed.
Data Protection Officer – Organizations whose “core activities” involve large-scale processing of “special categories” of data need to designate a data protection officer.
Companies who collect this type of information strictly for internal HR purposes may also be subject to this requirement.
Breach notification – As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Fines – Companies that violate certain provisions can face fines amounting up to 4% of the company annual gross revenue and failure to meet the breach notification rule may result in a fine up to 2% of the company annual gross revenue.
Companies must be able to show compliance by May 25, 2018.
Now that we have the facts we can discuss how to ensure that your organization is GDPR compliant.
The GDPR articles can be found here, we’ll wait a bit while you read the 261 page document.
Now that you’ve read the regulations we can discuss the actions an organization that comes across an EU citizen can do to be compliant.
Listed below are some of the key components that an organization will be required to have:
- Conduct a risk assessment with the goal of understanding what data your business utilizes and identify any gaps so that you address them.
- Hire or appoint a Data Protection Officer, this person will be responsible for understanding the GDPR regulations and ensure the protection of sensitive information.
- Create a data protection plan, most organizations already have a tool such as Data Loss Prevention (DLP) thus some fine tuning will be needed to ensure that you protect data that GDPR requires protected.
- Implement a risk management program to ensure that you are identifying risk and mitigating them in a timely manner.
- Test your Incident Reponses Plan (IRP) as GDPR requires that any breach is reported upon 72 hours of discovery. Thus a well-rehearsed IRP will ensure that your organization can adequately respond and report.
Are you panicking yet? Don’t worry The GDPR leaves much to interpretation as the requirement are to provide a “reasonable” level of protection. Yet if you conduct business within the EU border or if you conduct business with an EU citizen which most likely your organization will fall under either of the criteria’s we will have to be GDPR compliant.
Most of our organizations have some if not all the controls in place to be GDPR compliant.
Whitley Penn can help you validate if you are GPDR compliance.
[i] Source: Official GDPR site GDPR Portal: Site Overview
[i][i], [i][i][i] Source: GDPR FAQs Frequently Asked Questions about the incoming GDPR.
Whitley Penn continues to be one of the region’s most distinguished public accounting firms. With a strong base in Texas and a worldwide network affiliation via Nexia International, the firm is strategically positioned for continued growth both locally and internationally. Whitley Penn has been consistently recognized as “One the Top 100 Firms in the U.S.” and “Best of the Best” by INSIDE Public Accounting. For more information on Whitley Penn, please visit whitleypenn.com.