Does EU’s General Data Protection Regulation (GDPR) Apply to Your Organization?
What You Need to Know
Don Kaiser, CPA
Focused on You. Dedicated to Your Success.
Januar y 22, 2018

May 25, 2018, may not be an important date to you right now, but it could be significant if you do business in or market to prospects in the European Union (EU). May 25 is the date that all EU businesses, as well as certain companies outside of the EU, must comply with the General Data Protection Regulation (GDPR) or face a hefty penalty. Depending on the infraction, companies that are not GDPR compliant by May 25 can be fined up to €20 million (approximately $22.9 million) or 4% of global turnover (revenue) for the previous year. 

Generally, GDPR applies to businesses that handle personal data on individuals in the EU. A company could be required to comply with GDPR standards even if they are not physically located in the EU and they do not transact business in Europe. Any business that has customers, offers goods or services and/or monitors the behavior (profiles) of persons in the EU must be GDPR compliant. This includes companies based in the U.S.  

In most cases, companies that process significant amounts of data and/or certain types of data will have to appoint a data protection officer (DPO). To be fully accountable, the DPO will have to report directly to the highest level of management within the organization, have the resources available to do the job, and maintain a level of expertise in data security.

GDPR broadens the rights individuals have under the current EU Data Protection Directive (DPD). Introduced in 1995, this uniform data protection policy was adapted by all countries within the EU to alleviate the need for businesses to adapt the standard imposed by each country. Basically, GDPR requires that individuals intentionally opt in (obtained in writing, electronically or verbally) to receive communications from a company. Businesses will have to put systems and processes in place to prove that these individuals want to receive information from them. Businesses will be allowed to only collect enough information to achieve a specific purpose which must be clearly communicated to individuals opting in. In addition, businesses can only store information on individuals for the amount of time needed to accomplish the task.

Detailed records of personal data processing activities, privacy impact assessments, and privacy by design protocols will be required under GDPR, as well as data on who has access to information on individuals. Parental or guardian consent will have to be obtained for anyone 16 years old or younger Currently, consent is required for communicating with children 13 and under in the U.S. per the Children’s Online Privacy Protections Act (COPPA).

Individuals in the EU will have the “right to erasure” or the right to request that their data is permanently removed from a company’s database. Companies must adhere to all such requests unless there is a valid reason to continue to store and process an individual’s data.

GDPR also requires companies to notify the supervising authority with 72-hours of a data breach and impacted individuals “without undue delay.” The fine for not complying with the data breach notification provision can be up to €10 million or 2% of global turnover for the previous year. 

Companies based in the U.S. that did not have to comply with DPD may have to adapt GDPR if they offer goods or services to persons in the EU, or profile persons in the EU. Businesses that offer cloud-based technology solutions, pharmaceutical products, medical devices, as well as hotels, universities, professional service providers and non-profit organizations are especially encouraged to assess if GDPR applies to them.

Generally, businesses should consult with various different departments within their organization including, but not limited to: accounting, sales, marketing, customer services, IT and fulfillment to identify EU-based customers, prospects, and other individuals in which they may have data on, as well as how the data is used and stored. 

A lot of information is available online on GDPR. Here is the link to the final regulation issued by the 
European Parliament and the Council of the European Union on April 5, 2016. Please feel free to call us at 610.828.1900 if you have questions or concerns. You can contact Don Kaiser, CPA, principal in our New Jersey office at [email protected] or myself at [email protected] . We are always happy to help.

Martin C. McCarthy, CPA, CCIFP
Managing Partner
McCarthy & Company, PC

Disclaimer This alert is for informational purposes only and does not constitute professional advice. Information contained in this communication is not intended or written to be used as tax advice, and cannot be used by the recipient to avoid penalties that may be imposed under the Internal Revenue Code. We strongly advise you to seek professional assistance with respect to your specific issue(s).