February 21, 2019

By Darren Hulem | Network Administrator Auditor

GDPR, also known as General Data Protection Regulation (EU) 2016/679, was a regulation passed by the European Union (EU) in 2016 aimed at data protection and privacy for individuals within the EU. Enforcement, which began on May 25, 2018, has the potential to affect companies outside of the EU if they are offering goods, services or monitor the behavior of people within the EU. Additionally, the regulation applies to all companies processing and holding personal data of persons residing within the EU regardless of the organization’s location.

The goal of GDPR is to give the consumer control over their information. The key policies or principles of GDPR include:

Obtaining consent: Your terms of consent must be clear. Companies will no longer be able to use vague or confusing verbiage to gain consent.

Timely breach notification: It is mandatory for companies to notify their data protection authority about a breach within 72 hours of becoming aware of it.

Right to data access: Consumers will have the right to access their data being stored by companies and find out the purpose for which it is being used.

Right to be forgotten: Consumers have the right to ask the company with their data to destroy it.

Data Portability: Consumers will have the right to take their data and transfer it to another organization.

GDPR represents a big change from how privacy and data collection was done in the past. Previously, consumers had to opt-out of having their data collected. Now, individuals will have the ability to opt-in. Some of the implications of GDPR are already evident on many of the websites that you visit daily. From notifications about the collection of cookies and the update of privacy policies to email notices about GDPR-compliant privacy policies, companies worldwide are rushing to let consumers know they are handling their personal data responsibly. Microsoft has even gone a step further, noting that “as an advocate for national privacy legislation in the United States since 2005” they are extending the same principles of GDPR to not only EU residents, but to all customers worldwide.

Non-compliance with GDPR can result in hefty fines, with a maximum fine of 4% of annual revenue or €20 million, whichever is larger. Unfortunately, fines have already been levied against companies. The Austrian Data Protection Authority (ADPA) acknowledged that, “GDPR allows larger fines to be imposed, but that fines must be proportionate.” In a recent instance where a retail establishment with a surveillance company captured too much of a sidewalk, the ADPA levied a fine of €4,800 for the infraction.

GDPR is meant to protect the EU consumer in the age of technology and protect their data/information from being used without their knowledge, but US companies are not immune. Many of these principles should be contained in your organization’s internal policies including incident response, breach response, privacy and information security. If you have questions about your organization’s policies or the benefits of enterprise risk management services, please contact Darren Hulem, Network Administrator Auditor at 301-951-9090 or dhulem@grfcpa.com.