GDPR 101: What You Should Know About the European Union’s Impending Data Privacy Directive

GDPR 101: What You Should Know About the European Union’s Impending Data Privacy Directive

If you are under the impression that the European Union’s (EU) General Data Protection Regulation (GDPR) doesn’t apply to you, there’s a good chance you could be mistaken. Despite the common misconception, the impact of GDPR extends far beyond companies based only in Europe. In fact, the regulation applies to any company that solicits, controls or otherwise uses or comes to possess the personal data of EU citizens.

In our first in a series of articles addressing GDPR, we’ll review the key tenants of the regulation, who it impacts and how companies can work toward compliance. In subsequent Insights, we’ll cover GDPR’s impact on third party vendor management as well as dive deeper into the meaning of “consent” as it relates to the regulation.

Where Did GDPR Come From?

The EU’s new privacy regulation was first approved by European Parliament in April 2016 and formally goes into effect May 25, 2018. The GDPR replaces the EU’s Data Protection Directive which was originally adopted in 1995 and is now considered outdated given the advances in technology and the growing risks associated with personal data.

Who Does GDPR Impact?

GDPR is not specific to companies based in the EU. Rather, any business that maintains or processes data related to persons located within the European Union is required to comply.

US-based companies within e-commerce, software, travel and hospitality, for example, are widely considered to fall under the compliance restrictions of GDPR given that they operate wide-scale online platforms and solicit personal data via their websites.

Companies qualify under GDPR as either data controllers – those that determine how and for what purpose personal data is used or stored – or data processors – those that process data on behalf of a controller.

NOTE: Read more on the varying qualities of data controllers and data processors – as well as their specific requirements under GDPR – in this MFA Insights article.

What Does GDPR Consider Personal Data?

GDPR’s definition of what qualifies as personal data is broad: “any information relating to an identified or identifiable natural person”. Unlike other recent data privacy regulations we’ve seen implemented – Massachusetts’s 201 CMR 17, for example – which more clearly define personally identifiable information (PII), the scope of GDPR’s reach remains somewhat unclear given the vague parameters. As such, companies required to comply will need to take expansive steps to ensure any information that could potentially be considered “personal” is protected.

What Are the Penalties for Non-Compliance?

The EU is taking GDPR very seriously, and as such, the penalties for non-compliance are quite severe. Failing to adhere to GDPR directives can lead to significant fines – up to $20 million euros (equivalent to $24.9 million USD) or 4% of global annual turnover, whichever is greater.

How Can My Organization Comply?

Companies should start by understanding what personal data they currently store and process on EU residents before they can begin to implement new standards for the protection of this data. Conducting an assessment to identify the types of personal data present, where that data is located, what you do with it and how long it is stored is a wise starting point.

The GDPR states that companies must provide a “reasonable” level of protection for the personal data of EU citizens, but “reasonable” is not specifically defined, leaving much in the way of compliance open to interpretation.

In Part 2 of our Insights series on GDPR, we dive deeper into the differences between data controllers and data processors and address how organizations that work with third party vendors may be impacted by the regulation. Read here

In the meantime, if you have questions about your business’ compliance requirements with GDPR, please contact MFA.

Contact Us

Michelle Mackey
Related posts
Internal Controls

Four Reasons to Strengthen Income Tax Accounting Internal Controls

It is important for businesses to understand risks within the company, and thus the need…

Read More
Internal Controls

How Has Your Control Environment Been Impacted by the Pandemic?

As companies move to remote operations, or need to modify their workforce, an assessment over…

Read More