No question you’ve heard a lot currently about the European Union (EU) General Data Protection Regulation (GDPR). It’s a vital piece of law, yet most organizations are not compliant. Now that the GDPR timeline has expired and organizations must be compliant here’s what your organization needs to know.According to recent a PWC article, 68% of firms over 500 employees surveyed said they are planning to spend between $1-10 million USD to address GDPR obligations.
EU- GDPR (EU General Data Protection Regulation) is the new EU legal framework designed to provide the foundation for how global firms and agencies around the world must protect personally identifiable information of EU residents. The legislation also places limitations on what data can be used for and how it is processed by an organization.
You don’t want to go through pages and pages of legalese text. Positioned truly, the regulation is designed to put personal records returned within the palms of the person who owns it and make certain organizations are obvious about how they take care of user’s electronic details.
Of all the user data collected, stored and transmitted: web forms, cookies, user preferences, etc. Under GDPR, all personal data of those residing in the EU must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.If your organization collects or processes personal data drawn from European subjects, GDPR applies to your organization, regardless if you have a physical office in the EU and regardless of what geographically the data is processed.GDPR clearly defines the two primary roles and responsibilities of data, which are the ‘processor’ and the ‘controller’Controller means the “body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Processors means a “body which processes personal data on behalf of the controller”Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
The data controller must “demonstrate that the data subject has consented to processing of his or her personal data.” The “request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”
Don’t save non-public data unencrypted on a USB stick, as an example, or depart it on an unsecured cloud server. Data breaches can lead to large fines, so hold it secure, encrypted and secure from prying eyes.
This person should be well trained and briefed on their responsibilities. Relying on the nature of your organization, this person could be your privacy or Compliance Officer. Ensure your organization develops the appropriate policies and procedures accordingly and that you have a defined incident response plan in place.
“In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the appropriate authorities of such breach”If you are unsure whether or not your organization needs to be compliant with GDPR or are looking for guidance on best practices for implementation, contact Todd Jennings, tjennings@cviewllc.com.
We are a full-service management consulting and CPA firm covering all aspects of audit, compliance, risk management, accounting, finance, tax, IT risk, and more. Just let us know what you need help with and an expert will be in touch!
Request Your Consultation
