Getting ready for the EU’s stringent data privacy rule

The new EU General Data Protection Regulation, which takes effect in May, will have far-reaching effects. Here are key elements and a readiness plan.
By Jennifer McCallister, Gabriela Zanfir-Fortuna, and Jennifer Mitchell

EU data privacy
Image by traffic_analyzer/iStock

The General Data Protection Regulation (GDPR), adopted in the European Union in 2016, will become enforceable on May 25, 2018, and will affect all companies that use personal data of persons in the EU to provide services, to sell goods, or to monitor their behavior, even if those companies don't have an office in the EU.

In addition, the GDPR requires that companies without a physical EU location have an appointed representative for EU enforcement purposes.

Data protection is a significant issue in Europe. After World War II, when personal information was used to identify and target people based on specific demographics, the Council of Europe was formed to bring together European states to address, among other topics, human rights and the associated right to privacy. Between the 1950s and 1980s, many EU countries adopted their own national data protection laws, and in 1995, as an attempt to harmonize these laws, the EU adopted the Data Protection Directive (DPD). As a "directive," the DPD provided for specific aims to be achieved through national laws by the member states.

While it managed to harmonize essential data protection safeguards, the transposition of the directive in national laws still allowed differences among national laws. Taking note of the digital age, the European Commission announced its ambitious plan to reform the data protection framework to provide a high level of protection to individuals and to update the rules for the new digital reality.

Unlike the DPD, the GDPR is directly applicable in the national systems of EU member states. The GDPR is considered the most stringent data privacy regulation to date and could one day be the primary influence behind globally adopted privacy standards.

GDPR IN A NUTSHELL

The GDPR is a comprehensive law that applies to businesses handling personal data of individuals in the EU — even when no transaction takes place and regardless of whether a business is physically located in Europe. The GDPR elaborates on issues that arose under the DPD, strengthening the rights of individuals and providing for prohibitive fines, which can go up to €20 million (about $22.9 million), or 4% of the global annual turnover, or revenue, for the previous year. As the effective date approaches, regulated entities are left with a narrow time to become compliant.

GDPR'S REACH TO THE US

Many U.S. companies have embraced the regulation and have been working steadily on implementation plans since 2016; however, others are still determining whether the GDPR even applies to them. For U.S. companies, it may be difficult to understand the complexity of the GDPR and its application within the United States; however, caution should be taken before turning a blind eye, as the new rules will apply to many more U.S.-based companies than the current DPD standard. The GDPR's territorial reach is wide because the rules apply not only to organizations that have an establishment in the EU, but also to those organizations that are not established in the EU as long as they provide services or offer goods to persons in the EU, or they monitor the behavior of persons in the EU. This means that all U.S.-based companies that offer services or goods to persons in the EU, or that profile persons in the EU, will be subject to the GDPR.

While this list is not all-encompassing, leaders of organizations such as cloud-based businesses, companies that market to international client bases, pharmaceutical and medical-device companies, hotels, universities, international professional organizations and institutions, and all companies with EU-based customers or their data should be assessing whether the GDPR applies to them.

To understand if the GDPR applies to their organization, those in accounting, finance, and audit roles should connect with their compliance and IT counterparts to assess what type of personal information the financial and accounting systems hold and how that information is used. For example:

  • Personal information of customers, contractors, and employees held in payroll, accounting, and HR systems;
  • Audit and accounting workpapers that contain personal data and information; and
  • Communications containing personal information.

KEY ELEMENTS OF GDPR

Accountability and privacy by design

This is one of the key innovations brought by the GDPR to the data protection regime. Detailed records of personal data processing activities, privacy impact assessments, and privacy by design will be required under the regulation. The concept of privacy by design, or building compliance into processes and operations rather than as an afterthought, aligns with today's governance, risk, and compliance (GRC) concepts we see emerging as best practices across many organizations in the United States.

Appointed data protection officer (DPO)

Organizations handling large amounts of data or certain types of data as a significant element of their business will now be required to appoint a DPO. For full accountability, the DPO must report to the highest level of management and be provided sufficient resources to carry out the job and "maintain his or her expert knowledge." The DPO will be charged with advising the decision-makers to ensure organizational compliance with the full GDPR regulation.

Obtaining consent

Rather than relying upon implicit consent, the GDPR requires consent "by a statement or by a clear affirmative action," obtained in written, electronic, or verbal form, and the individual must be given the possibility to withdraw consent at any time. Even more protection is provided for children under the age of 16 (a higher bar than the age of 13 set by the Children's Online Privacy Protection Act (COPPA) in the United States), who may not be fully aware of or able to understand to what they could be consenting. Parental consent must be obtained, and "reasonable efforts" must be applied to verify the parent or guardian has provided the proper consent. However, note that consent is not the only legitimate ground for using personal data under the GDPR.

72-hour rule

Should a personal data breach occur, companies must notify the supervising authority of the breach within 72 hours of becoming aware of the event. If that time frame is not met, data controllers must provide a reasoned justification for the delayed notification. They must also notify impacted individuals "without undue delay." The regulation offers some exceptions to this requirement that will surely open the door to debate. If the breach is "unlikely to result in a risk to the rights and freedoms of natural persons," notification is not required.

Right to be forgotten and right to data portability

Also known as the right to erasure, under certain situations individuals have the right to request their data be permanently removed from a company's systems (e.g., if consent is withdrawn and there is no additional ground to process their data, those data must be erased). Individuals also have a right to obtain a copy of their data in an interoperable format to transmit them to another controller.

Minimization, purpose limitation, and storage limitation

Plain and simple, only the minimum amount of personal data necessary to achieve a specific purpose should be collected, it should be used only for the purpose(s) clearly communicated and consented, and it should be stored only as long as necessary. For instance, a company providing a portable medical device that collects physical parameters and location for the announced purpose of monitoring that person's heart rate will not be compliant with data-minimization obligations because location data are not needed to determine one's heart rate.

Penalties for noncompliance

While we must wait to see how compliance with the GDPR will be monitored and enforced, companies will face penalties of up to 4% of global turnover of the previous financial year or €20 million, whichever is higher, should noncompliance be identified. A lower tier of fines up to €10 million or 2% of the global annual turnover is provided, for instance, for noncompliance with data breach notification obligations.

AN ACTION PLAN FOR GETTING AHEAD OF GDPR

Take inventory

Companies should identify and take inventory of the data they collect, what they're used for, and their movement across the enterprise. Are data being collected or stored that are not actively used for any purpose? Have you identified the specific purpose for which each data point is being used?

Example: A U.S. hotel that has guests visiting from Europe is usually going to process their personal data, first, through the online booking system, and then at different stages — before arrival, during the stay, and after departure (e.g., retaining their email address for future promotions). Data mapping will show exactly what personal data of its EU-based clients are collected at what point, how, and by whom they are used. Based on this information, the GDPR compliance project can be built by those responsible within the company.

Embed privacy in processes using personal data

There are benefits for companies using personal data, especially for those using personal data as part of their core business, to thinking about privacy safeguards before starting projects or new businesses or developing new tools. Data protection by design and conducting data protection impact assessments on processes or business units executing large-scale data processing are examples of embedding privacy into processes.

Example: A U.S. company wants to sell a service, based on an IT tool that manages HR files, to employers in the EU. The U.S. company will be subject to the GDPR (either as processor or joint controller, depending on the arrangement with its EU clients) once it starts providing the service to EU-based persons. Data protection by design and by default requires that the company embed privacy protections into the tool. For instance, the tool's default settings must restrict the data points collected, or the tool should be developed to be able to process pseudonymized data.

Create policies and procedures

The implementation of policies and procedures to address the GDPR requirements provides the ability to address compliance and the opportunity to create compliant processes versus overlaying compliance on top of existing operations. The benefit of doing so extends well beyond regulatory compliance and results in both efficient and compliant processes.

Example: A U.S.-based manufacturer that has an office in the EU should develop a privacy policy for how it collects and uses the data for HR purposes of those employees based in the EU. If the manufacturer's activity involves collecting and using other types of personal data, for instance if the manufacturer maintains a database with clients who are natural persons, then it should also have a privacy policy for how it uses client data, disclosing any analytics or automated decision-making involving those data. The manufacturer should also put in place procedures to deal with requirements from persons who want access to their own data, or who want their data corrected or erased, addressing questions such as: Who receives the requests? Who assesses the requests? Who approves the resolution? Who replies to the individual? The policies and procedures can be drafted by in-house counsel, outside counsel, outsourced specialized consultants, or the company's DPO, if one was appointed, and they should be adopted at the highest level.

Engage vendors and other business associates

Leading an effective GDPR compliance and control effort will require cooperation among vendors and other business associates. Engaging them in the process, communicating expectations of them, and understanding their compliance efforts are key.

Example: A U.S.-based pharmaceutical company that wants to conduct clinical trials in the EU and has to rely on contracting a company specializing in clinical trials must make sure that the specialized company provides appropriate data protection safeguards. The pharmaceutical company is legally responsible also for how the clinical trial company uses personal data on its behalf.

Data Protection Gold Standard

The GDPR sets the bar high compared to U.S. regulations governing the collection, use, and protection of personal data. While many companies will be required to fall in line with the requirements set forth in the regulation, others should consider it as a best practice for protecting personal data.


About the authors

Jennifer McCallister (jennifer.mccallister@navigant.com) is an associate director at Navigant Consulting. Gabriela Zanfir-Fortuna (gabriela.zanfir@navigant.com) is GDPR subject-matter expert at Navigant Consulting. Jennifer Mitchell (jenniferlklem@gmail.com) specializes in privacy compliance. She worked previously as a director at Navigant Consulting.

To comment on this article or to suggest an idea for another article, contact Neil Amato, senior editor, at Neil.Amato@aicpa-cima.com or 919-402-2187.


AICPA resources

Articles

CPE self-study

  • Data Security and Protection (#165226, online access; #GT-165226, group pricing)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

SPONSORED REPORT

Why cybercriminals are targeting CPAs

This free report expands on the most commonly found scams, why education and specialized IT knowledge help to lessen security vulnerabilities, and why every firm should plan carefully for how it would respond to a breach.

PODCAST

How tax reform — and Excel — are changing the CPA Exam

Mike Decker, the vice president of examinations at the AICPA, discusses changes being made to the exam as a result of tax reform — and about how Excel will now be available for use on the test.