March 19, 2018
GDPR is Coming – Learn What You Need to Know
Posted by Liam Collins
Don’t get burned by the new GDPR rollout. U.S.-based companies aren’t exempt―here’s what you need to know about your risks and how to prepare.
What You Need to Know About GDPR
GDPR, or the General Data Protection Regulation, is coming and is being called the biggest change to data security in the last 20 years. Which begs the question, are you ready for the May 25 deadline?
Even though this behemoth regulatory rollout is instituted by the European Union, it will affect many U.S.-based businesses. Here are some highlights to help you determine if these regulations impact your business, and if so, how you can prepare.
Is Your Company at Risk?
Think you’re not at risk because GDPR is just for companies located in the EU? Think again. Companies do not have to have a physical location in an EU country to be impacted. If your company provides services to, houses EU citizen data of, sells to, conducts targeted marketing to or contracts through third parties to do targeted marketing to residents within any of the 28 EU countries, then the new GDPR rules (and risk of fines) apply to you.
In addition, being compliant with the EU-U.S. Privacy Shield framework will not fulfill GDPR requirements. The new GDPR has a much wider scope than the EU-U.S. Privacy Shield, and companies that do business, collect data, or market to EU residents will have to comply with GDPR.
Compliance is compulsory, and the penalties and fines are severe (up to 4 percent of annual revenue). If your U.S.-based company meets the criteria above, the deadline to comply is quickly approaching.
4 Steps You Can Take Today
Here are four steps you can take now to prepare your company for compliance.
- Assemble a team to evaluate data flows and scope.
Consultants or internal teams should review data flows to determine where data is being stored, processed and exported. From there, companies can identify which processes and vendors are non-compliant and develop an action plan to shore up these areas. Marketing teams and contractors should also be ensuring that web forms and disclaimers are brought up to compliance.
- Document that personal information is kept private.
There are many automated solutions that can streamline this entire process and capture key data points such as:
• What personal data do you store?
• Where is this data stored?
• How is this data used?
• Who has access to this data?
- Prepare for data breaches.
Institute a plan to:
• Detect data breaches.
• Investigate them.
• Report the breaches within 72 hours.
- Document compliance steps and develop new processes.
Institute a plan to:
• Document a Data Protection Impact Assessment.
• Develop and implement processes to respond to the numerous rights of EU citizens with respect to their data, including the “right to be forgotten,” the “right to restrict processing,” the “right of rectification,” etc.
GDPR is complex, but to simplify this topic and give you actionable items, we’ve focused on who’s at risk and outlined four steps you can take to prepare.
For more in-depth information, below are some additional articles you may find useful. As always, don’t hesitate to reach out to the Armanino team if you need help with GDPR compliance.
Liam leads Armanino’s service organization control (SOC) practice, which provides third party assurance services. He has more than 15 years of SOC experience in both the audit and consulting practice areas, including 10 years with Big Four firms.
Before joining Armanino, he served as a managing director at KPMG, where he was engagement partner on a number of assurance projects. He has also held audit, assurance, finance and IT leadership roles at PricewaterhouseCoopers, ControlMetric, Clare Chapman and Prodapt.
Liam received a BS in accounting from Golden Gate University, a JD from the University of San Francisco School of Law and an MBA from the University of Pennsylvania’s Wharton School. He is a member of the American Institute of CPAs and ISACA.