The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, be it data of residents or visitors.
The GDPR has made profound changes to the understanding of privacy, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
GDPR also changes the way that these laws are enforced and brings potential penalties that are significant in nature. Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization’s total global revenue, whichever is greater.
Schneider Downs provides multiple solutions to help our clients achieve and maintain compliance with GDPR:
1. Awareness
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. In addition, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.
2. Document the Personal Information You Hold
You should document what personal data you hold, where it came from, what you do with it and who you share it with. We use data flow diagrams and business process maps for each of these processes.
3. Communicating Privacy Information
You should review your current privacy policies, procedures, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.
4. Individuals’ Rights: Right to Be Forgotten, Transfer Data or Correct Data, etc.
You should check your procedures to ensure that they cover all the rights individuals have, including how you would delete any obsolete data (e.g., right to be forgotten), transfer data upon request or correct any incorrect information.
5. Data Subject Access Requests for Data / Information on Data Handling
You should update your procedures and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the personal data. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.
6. Inventory Your Data
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.
7. Lawful Basis for Processing Personal Data
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, document it, and update your privacy notice to explain it.
8. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consent processes now if they do not meet the GDPR standard.
9. Data Breaches / Incident Response Plan
You should make sure you have an incident response plan in place to detect, report and investigate a personal data breach. The plan needs to be documented and tested.
10. Security of Processing
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. Effective controls to not only ensure the ongoing security, but also the confidentiality and availability of personal data must also be in place.
11. Data Protection by Design and Data Protection Impact Assessments
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, and decide how, when or if you need to implement these in your organization.
12. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. If so, this position must report to the highest levels of management.
If your organization is late to comply with GDPR, please visit the “Our Thoughts On” blog to read more about our recommendations on how to become compliant.
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Receive all the latest insights and industry tips.
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and business advisory services to public and private companies, not-for-profit organizations and global companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
"*" indicates required fields