« 4 new opportunities blockchain could create for auditors | Main | Nonprofit risk management 101 »

How your organization handles personal data is about to change

GDPRIf your organization or client handles personal data of any person residing in the European Union—even if the organization itself isn’t located there—pay attention. The way you store and manage that data may need to change significantly.

Enforcement of the EU General Data Protection Regulation (GDPR), which was ratified in 2016, will go into effect May 25, 2018. The GDPR was created to allow individuals to have greater control over their personal data and provide consistency across the EU member countries when it comes to data privacy rules. According to EUGDPR.org, personal data is defined as “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.”

Given that times and technology have both changed since the previous Data Protection Directive 95/46/EC of 1995 was implemented, GDPR will both replace that directive and bring the regulation up to date based on how customer data is used today. And the standardization across EU countries reduces some of the compliance burden for organizations who do business in multiple EU countries.

Any company that processes or holds personal data of a person who lives in the EU is required to follow GDPR. And UK citizens will most likely be afforded the same data protections, regardless of Brexit. The United Kingdom has committed to creating a new Data Protection Bill that will bring GDPR into UK law, so even post-Brexit, organizations will likely need to follow GDPR rules for UK citizens’ personal data. Organizations that are in violation of GDPR can be fined up to 4 percent of their annual global revenue or 20 million euros, whichever is higher.

Since there are only around two months left before GDPR officially starts being enforced, if you haven’t started preparing yet, now is the time. Here’s where to start:

  1. Educate yourself and your organization or clients on GDPR. The International Association of Privacy Professionals’ EU GDPR Resource Center is a good place to start. EUGDPR.org also has an overview of key changes as well as other information. And you may be interested in reviewing some of our courses on data protection and GDPR.
  2. Evaluate how GDPR relates to how your organization or clients do business. Once you understand how GDPR will affect your organization and the risks involved, you can develop an effective plan to mitigate those risks. For example, you may need to make an external change, such as updating your privacy policies to provide more transparency to end users about how their data is used. Or, you may need to change how you do business internally when it comes to data processing and data storage, adding additional structure to those processes depending on your GDPR-related risks.
  3. Consider engaging a data protection officer (DPO). Under GDPR, some organizations will be required to have a DPO. However, even if your organization doesn’t fall under that category, a DPO could be beneficial for helping you navigate the new compliance requirements. On the flip side, CPAs who provide risk advisory services might also consider providing data privacy-based advisory services to organizations that will be impacted. As trusted, independent business advisors who are familiar with an organization’s risks and how to mitigate those risks, CPAs can play a beneficial role in helping organizations stay compliant.

Through GDPR, individuals will benefit from having more control over their data—and organizations who may not have been impacted previously will have to make changes to be compliant. If you’d like to learn more about GDPR and how to prepare, sign up for our upcoming Association of International Certified Professional Accountants webcast on GDPR implementation, which will broadcast March 22 at 12 p.m. ET.

Jon Mabe, Senior Manager – IT Audit, Security & Privacy and Data Privacy Officer, Association of International Certified Professional Accountants

GDPR courtesy of Shutterstock


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily