You may be thinking that there is no point in reading further as your business in located in the United States, not the EU – not true. United States businesses with clients or customers in Europe will be required to comply with these new data regulations, seek guidance on how to implement them and will likely need to appoint a representative in the EU.
The EU General Data Protection Regulation (GDPR) becomes effective May 25, 2018. Its main goal is to bring together data privacy laws across Europe that protect all EU citizens and improve the way companies treat privacy.
The biggest change in the new regulations is the increased scope. Businesses processing data of those residing in the European Union will need to abide by these new rules even if the business is located outside of the EU.
The rules should be carefully established and implemented as penalties for noncompliance can be up to 4% of annual global turnover or €20 Million. Even those companies that take care to implement many of the regulations but fail on some minor aspect of the rules, can be assessed some level of penalty. For example, a company that adheres to all regulations but does not keep adequate records or fails to bring attention to a breach may still be fined 2%.
Other updates to the regulations include but are not limited to:
- Obtaining consent using clear language
- Notifying controllers and customers of a data breach within 72 hours
- Transparency of what personal information is processed
- The right for personal data to be erased or withdrawn upon request or when no longer needed
- Portability of data or the right for the subject to receive their personal info in a clear format
- Implementing privacy regulation as a core component of designing new systems
- Appointment of data protection officers
More details of the GDPR may be found at www.eugdpr.org.
This information is general in nature and should not be relied upon. Please consult professional guidance on any questions relating to these new regulations.
Jill A. Helm, CPA