madhu maganti
by Madhu Maganti, CPA, CISA, Director of IT Assurance and Security Group

If your organization handles any personal information for a resident in the European Union (EU), then you should be aware of the upcoming General Data Protection Regulation (GDPR) going into effect on May 25, 2018, regardless of where in the world your company is located. GDPR significantly increases the obligations and responsibilities for organizations and businesses in how they collect, use and protect personal data. The key factor in the new law is the requirement for organizations to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.

Understanding GDPR

Many of the main concepts and principles of GDPR are much the same as those in the current Data Protection Acts 1988 and 2003. However, GDPR introduces new elements and significant enhancements, requiring considerable work by all organizations and how it processes personal data. Some elements of GDPR will be more relevant to certain organizations than others, and it is important and useful to identify and map out areas that will have the greatest impact on your business model.

Organizations need to respect personal privacy by restricting what personal data they collect and process and by safeguarding that data. Privacy obligations apply to any information, either by itself or used with other pieces of information, that could identify an individual person living in the EU, including items such as:

  • Addresses
  • Passport numbers
  • Driver’s license numbers
  • Financial details
  • Biometrics
  • Union memberships
  • Medical history
  • Location data
  • Information relating to a person’s sexual, religious or political orientation

GDPR Parameters

The main tenets of GDPR that should be followed include:

  • Personal data for individuals shall be processed lawfully, fairly and in a transparent manner. EU residents need to be told what is being collected and for what purpose.
  • Personal data shall be collected for specified, explicit and legitimate purposes, and should not be used for any other reasons that conflict with these purposes.
  • Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.
  • Personal data must be kept up-to-date and accurate.
  • EU residents have the right to receive a copy of their data, or can request that their personal data no longer be used. In some cases, they can have it deleted entirely.
  • Organizations must implement appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration or disclosure.
  • Organizations also need to ensure all staff members who handle personal data are properly trained in how to secure and protect that data.

The protection measures that are in place to secure personal data must ensure a level of protection appropriate to the sensitive nature of the data. As the risk associated with data becomes greater, so should the effort and expense of measures to protect the data. These measures should be regularly reviewed and updated as appropriate. Well-documented records about privacy and security decisions and measures help to show compliance with the requirements. In addition, organizations are legally bound to employ measures, such as contracts and due diligence reviews, to protect personal data when transferring it to external third parties or parties outside the European Union.

GDPR Reporting

In the case of a personal data breach, organizations should report the breach within 72 hours after becoming aware of it. In most cases, organizations are aware of a breach the moment it occurs but it is critical to ensure that the once the breach is identified, the Incident Response Plan is enforced to mitigate the risk as well as normalizing the state of business operations. Failure for organizations to comply with GDPR can result in fines up to 4 percent of its global revenue or 20 Million Euros (whichever is greater), making GDPR one of the most financially costly global regulations in the world.

Doeren Mayhew’s dedicated Information Technology (IT) Assurance and Security Group is comprised of specialists who work closely with organizations across the world to ensure cybersecurity compliance. For more information, contact one of our IT assurance professionals today.