Are You Ready for GDPR? Broad Reaching User Data Regulations Take Effect May 2018

Posted on April 10, 2018June 27, 2024

In 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), which is effective on May 25, 2018. These regulations are much broader reaching than US CAN-SPAM or the Canadian Anti Spam law, and while many view this legislation as a positive step for consumer protection, GDPR introduces new challenges for organizations who collect and process user data of European residents. AAFCPAs’ Business & IT Advisory Practice advises clients regarding GDPR compliance, and provides the below insights regarding what organization’s should do now to prepare.

Who does this affect?

The GDPR applies to all European Union businesses, regardless of size or industry who handle any personal data of users. It also applies to organizations not based within the EU that collect data or monitor the behavior of EU citizens.

How do I comply with GDPR?

GDPR consists of several key parts:

Privacy: Organizations should only collect user data when it is necessary, and must limit access to data to appropriate individuals.
Organizations must permanently erase user data upon request.
Consent: Individuals must explicitly opt in to allowing collection of personal data. Consent may be removed at any time. This differs greatly from practices in the US that require an opt-out option only.
It is recommended that data be anonymized or pseudonymized to protect user.

To be in compliance with the GDPR, businesses who collect and process personal data of EU residents must follow stringent rules, including (but not limited to):

Obtaining consent before collecting personal data.
Offering customers the ability to request all their records be permanently deleted.
Reporting data breaches within 72 hours.

What is the risk of non-compliance?

The EU authorities have been aggressively pursuing data protection enforcement for years. The new regulation places heavy fines for violations, up to €20 million or 4 percent of global revenues, whichever may be higher. For US companies with a physical presence in the EU, the GDPR may be enforced directly against them. For US businesses that do not have a physical presence, but are actively conducting business in the EU, the GDPR requires that you designate a representative located in the EU.
Finally, European Union regulators will rely on international law to issue fines with the help of US authorities. While there is no defined mechanism in place for this yet, authorities on both sides have a history of working together.

What does AAFCPAs advise?

AAFCPAs urges clients to begin evaluating your user data and IT systems, and identify what data you are storing and where. While we have provided some guidance in this post, it is not intended to be all inclusive.

The GDPR specifies that: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, personal data includes web identifiers such as: email addresses, website cookies, IP addresses, biometric data, and other online identifiers.

We advise clients to begin preparing now, if you have not already, for the May 25^th effective date so you may understand the impact of the new standard on your business, and develop an implementation schedule to appropriately allocate your resources and achieve compliance.

AAFCPAs’ Business & IT Advisory practice evaluates clients’ processes and systems readiness for compliance with GDPR. For more information please contact your AAFCPAs Partner, or James Jumes, leader of AAFCPAs’ integrated business & IT advisory practice at: 774.512.4062 or jjumes@nullaafcpa.com.

About the Author

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Related Insights

Cost Center Coding Strategies for Effective Grant Reporting

For complex human and social services providers, managing grants and ensuring compliance can often feel like navigating a labyrinth. One effective strategy to simplify this process is through cost center coding. AAFCPAs provides the following detailed guidance on how to leverage cost center coding to streamline grant reporting and maintain compliance. Design Your Cost Centers […]

October is Cybersecurity Awareness Month. Are You Prepared?

Cybersecurity Awareness Month is observed in October in the United States to raise awareness about the importance of protecting digital systems and data from cyber threats. As of the third quarter of 2024, there were over 2,000 reported data breaches affecting an estimated 1.3 billion individuals globally with major breaches affecting companies like UnitedHealth, Snowflake, […]

Enhancing Reporting Capabilities With Integrated Systems

For CFOs and financial leaders within the Health and Human Services sector, the challenge of managing and reporting on diverse programs funded from various sources is a significant one. Accurate and efficient reporting is essential but often hampered by data spread across multiple, disconnected systems. AAFCPAs provides the following guidance on how integrating these systems […]