How GDPR Will Impact U.S.-Based Firms
If you pay attention to overseas regulations, the term GDPR has probably entered your consciousness. But what is it exactly? More importantly, can it potentially impact U.S.-based accounting firms?
What is the GDPR?
The EU Parliament approved the General Data Protection Regulation (GDPR) in April of 2016. According to EUGDPR.org, it’s intent is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” In short, the aim is to protect EU residents from privacy and data breaches in an increasingly data-driven world.
The GDPR outlines significant changes for the public as well as organizations that handle personal information of EU citizens. Full details on all of the changes are beyond the scope of this article, but the regulation sets out rights of individuals and places obligations on organizations that handle personal data of EU citizens.
This includes giving people easier access to the data companies hold about them, giving them the right to demand that errors in their data are rectified or have their data erased or forgotten. It also holds companies more accountable for handling people’s personal information and levies significant fines for businesses that don’t comply.
How is personal data defined?
The definition of personal data is broad. The GDPR defines it as “any information relating to an identified or identifiable natural person. That may include names, addresses, IP addresses, phone numbers, email addresses, credit card details, financial information, medical information and even posts on social media websites.
Which businesses will be impacted?
The GDPR does not only apply to organizations located within the EU. It applies to any organization that processes or holds the personal data of EU residents, regardless of the company’s location. Essentially, it has the potential to impact every business on the planet.
On a practical level, the EU may not levy a fine on a US-based company, but it’s very likely they would pursue an EU-based subsidiary of a US-based organization.
When does the GDPR take effect?
The EU Parliament established May 25, 2018, as the enforcement date for the new regulation. At that time, organizations not in compliance could face hefty fines.
What should you do?
To help prepare for the start of the GDPR, the Information Commissioner’s Office (ICO) created a 12-step guide, available at http://bit.ly/1XLwlsA. Your firm may need to have more detailed one-on-one conversations to lay out specific plans on how to apply the GDPR articles.
However, it’s worth noting that the ICO has said that, in the event of a breach, they will consider all measures taken by an organization to adhere to GDPR when deciding on any recourse.
Achieving compliance with GDPR may not be straightforward, especially with the May 25 deadline right around the corner. But consider this an opportunity to improve data efficiency, data protection, client relations and trust. Compliance efforts can only serve to better secure your firm against future data breaches. (CPA Practice Advisor)