How to Prepare for GDPR
Donald J. Kaiser, CPA
Focused on You. Dedicated to Your Success.
March 5, 2018

On January 22, 2018 we sent you an alert entitled “ Does EU’s General Data Protection Regulation (GDPR) Apply to Your Organization? ” In that alert we provided you with background information on GDPR. This alert discusses what you should do to prepare. GDPR takes effect on May 25, 2018 in the EU. 

Generally, GDPR applies to businesses that handle personal data on individuals in the European Union (EU). A company could be required to comply with GDPR standards even if they are not physically located in the EU and they do not transact business in Europe. Any business that has customers, offers goods or services, and/or monitors the behavior (profiles) of persons in the EU must be GDPR compliant. This includes companies based in the U.S. 

A lot of information is available online about how to prepare for GDPR. The European Parliament and the Council of the European Union published its final regulation on April 5, 2016.

To get started, you should consult with the accounting, sales, marketing, customer services, IT, and other departments within your company to identify EU-based clients, prospects, and other individuals in which you may have data on, as well as how the data is used and stored. 

HubSpot has a lot of useful information . Included is a checklist on what you need to do to be GDPR compliant. HubSpot suggests that you:
  • Assess the information you have, how the information is collected and stored, as well as determine if adequate protection is in place. 
  • Develop a GDPR project plan.
  • Implement procedures and controls, especially for situations which may require that you notify the authorities or clients about a data breach.
  • Document all sources of information on clients and prospects as well as how they opted-in, for what purpose and how long you may keep and use their data. 
  • Ensure that all third-party vendors that have access to your data are GDPR compliant and have the necessary data protection protocols in place. Add clauses to your vendor contracts to protect your firm. 

CommuniGator, a leading marketing automation software provider in the U.K., provides resources on how GDPR may impact your marketing initiatives if you must comply with GDPR. This includes a GDPR Compliance Checklist which is more focused on marketing than data protection. CommuniGator recommends that you:
  • Determine if your company will be affected by GDPR.
  • Decide how you will be affected by the new regulations. 
  • Understand the penalties. 
  • Plan to meet the GDPR adaption timeline. 
  • Establish which controls you will need in place for your opt-in process.
  • Write and make available your opt-in statement.
  • Get explicit consent from implied-consent subscribers (customers and prospects).
  • Get as many individuals as possible on purchased targeted email lists to opt-in. 
  • Obtain explicit consent from as many non-engaged individuals as you can.
  • Identify who you do not have explicit consent from before May 25th and stop marketing to these EU individuals until they consent to receive your communications.
  • Check that your privacy and cookie policies are GDPR compliant. 
  • Put controls in place to track and secure personal data you have on individuals in the EU.
  • Implement data transparency measures to comply with GDPR’s right to be forgotten, subject access right and right to data portability requirements.

The time is now to figure out if you need to comply. Depending on the infraction, companies that are not GDPR compliant by May 25 can be fined up to €20 million (approximately $22.9 million) or 4% of global turnover (revenue) for the previous year. 

Please feel free to call us at 610.828.1900 if you have questions or concerns. You can contact Don Kaiser, CPA, principal, in our New Jersey office at or myself at . We are always happy to help. 
Martin C. McCarthy, CPA, CCIFP
Managing Partner
McCarthy & Company, PC

Disclaimer This alert is for informational purposes only and does not constitute professional advice. Information contained in this communication is not intended or written to be used as tax advice, and cannot be used by the recipient to avoid penalties that may be imposed under the Internal Revenue Code. We strongly advise you to seek professional assistance with respect to your specific issue(s).