If you operate a business that is in any way involved with obtaining, managing or using the personal data of residents of the European Union, note the date May 25, 2018. That’s when the two-years-in-the-making General Data Protection Regulation becomes the law of the land.
Your company might be affected by the GDPR -- and subject to potentially stiff financial penalties for violations -- even if it doesn’t have a physical presence in Europe.
Let’s take a closer look, first by defining exactly what we mean by personal data.
Personal data, in the digital age, refers to information gained from individuals that will benefit marketers who wish to sell products or services to them. Most of us understand this to include such data points as names, contact information, photos, banking information and other sensitive information. But it can also involve medical records, IP addresses, genetic and biometric data, and a whole lot more.
The GDPR was established in order to give EU citizens more control over their personal data. The intent is to assure that it is only collected, maintained and used in ways that protect the information from exposure and only taken from those who wish to share it.
Consistency of privacy protection throughout the EU was one of the reasons GDPR was put in place. With the new regulations, the laws and enforcement mechanisms will be the same from one member nation to the next. Additionally, even though it is exiting the EU, it’s assumed that the United Kingdom will also enforce GDPR compliance.
The governmental entities involved promote this uniformity as an advantage to businesses operating in the EU. The argument goes that it will cut through the confusion of patchwork laws across borders and therefore lower the cost of doing business in a unified Europe.
Your business is subject to the GDPR regardless of whether or not you have an office or a physical presence in the EU. All that matters is that you’re collecting, processing or using personal data accessed from its citizens.
In all, there are 91 articles to this complicated law, but here are a few that stand out.
Personal data subjects can maintain control of their own information and share it as they wish. This also involves the “right of erasure,” wherein your customers or prospects can demand that their information be deleted from your files.
Your company must implement reasonable data security measures to protect against breach and exposure of personal information.
Notification of authorities must be made within 72 hours of a data breach. EU citizens whose information has potentially been exposed must also be notified.
Depending on the kind of personal information your business accesses, you might be required to appoint a data protection officer (DPO) to serve as the point person in maintaining GDPR compliance.
Penalties for Violation
The punishment for non-compliance can be quite severe, regardless of your location globally. The financial penalty, depending on the type of violation, can be as steep as four percent of your company’s annual revenue.
It’s this high cost of non-compliance that makes it critical to conform to regulations if your company is in any way involved with the personal data of EU citizens. It’s in your best interest to implement policies and procedures to get -- and stay -- in full compliance with GDPR rules and law.
Start by consulting with experts who know the full scope of the GDPR and can help you stay ahead of the changing legal landscape.
Mary Vasilescu, CPA, is a partner in Tax Services at Wiss & Company LLP and an international tax expert. Reach her at (973) 994-9400 or firstname.lastname@example.org.