March 5, 2018
Generally, GDPR applies to businesses that handle personal data on individuals in the European Union (EU). A company could be required to comply with GDPR standards even if they are not physically located in the EU and they do not transact business in Europe. Any business that has customers, offers goods or services, and/or monitors the behavior (profiles) of persons in the EU must be GDPR compliant. This includes companies based in the U.S.
A lot of information is available online about how to prepare for GDPR. The European Parliament and the Council of the European Union published its
final regulation
on April 5, 2016.
To get started, you should consult with the accounting, sales, marketing, customer services, IT, and other departments within your company to identify EU-based clients, prospects, and other individuals in which you may have data on, as well as how the data is used and stored.
HubSpot has a lot of
useful information
. Included is a
checklist
on what you need to do to be GDPR compliant. HubSpot suggests that you:
- Assess the information you have, how the information is collected and stored, as well as determine if adequate protection is in place.
- Develop a GDPR project plan.
- Implement procedures and controls, especially for situations which may require that you notify the authorities or clients about a data breach.
- Document all sources of information on clients and prospects as well as how they opted-in, for what purpose and how long you may keep and use their data.
- Ensure that all third-party vendors that have access to your data are GDPR compliant and have the necessary data protection protocols in place. Add clauses to your vendor contracts to protect your firm.
CommuniGator, a leading marketing automation software provider in the U.K., provides resources on how GDPR may impact your marketing initiatives if you must comply with GDPR. This includes a
GDPR Compliance Checklist
which is more focused on marketing than data protection. CommuniGator recommends that you:
- Determine if your company will be affected by GDPR.
- Decide how you will be affected by the new regulations.
- Understand the penalties.
- Plan to meet the GDPR adaption timeline.
- Establish which controls you will need in place for your opt-in process.
- Write and make available your opt-in statement.
- Get explicit consent from implied-consent subscribers (customers and prospects).
- Get as many individuals as possible on purchased targeted email lists to opt-in.
- Obtain explicit consent from as many non-engaged individuals as you can.
- Identify who you do not have explicit consent from before May 25th and stop marketing to these EU individuals until they consent to receive your communications.
- Check that your privacy and cookie policies are GDPR compliant.
- Put controls in place to track and secure personal data you have on individuals in the EU.
- Implement data transparency measures to comply with GDPR’s right to be forgotten, subject access right and right to data portability requirements.
The time is now to figure out if you need to comply. Depending on the infraction, companies that are not GDPR compliant by May 25 can be fined up to €20 million (approximately $22.9 million) or 4% of global turnover (revenue) for the previous year.
Please feel free to call us at 610.828.1900 if you have questions or concerns. You can contact Don Kaiser, CPA, principal, in our New Jersey office at
[email protected]
or myself at
[email protected]
. We are always happy to help.
