The European Union’s General Data Protection Regulation takes effect Friday, and it could affect accountants and auditors, along with their clients, in the U.S.
Under the GDPR, any company that gathers, monitors or manages the personal information of EU residents will need to make drastic changes in how it gets and stores the data. Companies in both Europe and the U.S. have been blitzing consumers in recent weeks with emails about new user agreements and privacy policies, while some U.S. businesses have announced they will need to exit the European market.
“There’s a lot of U.S. companies that are selling goods and services to individuals in the EU, and there are many dotcom companies and ecommerce companies that have a global footprint and are selling to people all over the world, even if their employees and infrastructure are all in the United States,” said Jeffrey Sanchez, security and privacy managing director at the global consulting firm Protiviti. “Certainly GDPR applies to those organizations. GDPR also applies to other brick and mortar companies that are selling goods and services, whether it’s airplane parts, construction equipment, or a variety of finished products in Europe, where GDPR is going to apply. The reach of GDPR is very broad. One of the biggest changes between the previous privacy legislation and GDPR is that GDPR applies to any company, regardless of where they’re physically located if they’re selling goods and services to people inside the EU.”
Even though the deadline for complying with the new rules is supposed to be Friday, May 25, 2018, many businesses in the U.S. are only now hearing about the new rules, and their accountants can help them get up to speed and audit their compliance.
“Accountants play lots of different roles,” said Sanchez. “If you talk about accountants that play an internal audit role or advisory role, we see in many companies internal audit playing a key role of assisting the organization with their implementation of GDPR. For example, one of the requirements of GDPR is to develop an inventory of all the processing activities. It’s called a Record of Processing Activities, or a ROPA. Internal audit and the accounting people who generally make up an internal audit function are uniquely positioned to be able to assist the organization with developing that because internal auditors generally have a very broad understanding of the organization. They’re very process oriented and they have the skill sets and tools to do data flow maps. I think internal audit in particular is very well suited to helping an organization to go through this process.”
He also sees a role for internal audit in evaluating whether a company is complying with GDPR. “It’s not unlike auditing other regulations, going through and assessing is the company following its policies and procedures,” said Sanchez. “I think those are all activities that internal audit or accountants working in a business consulting advisory type of model are very well suited for assisting organizations.”
Accountants might even be able to help with all those emails that have been hitting inboxes recently. GDPR requires a lawful basis for processing of personal data by companies, and in many cases companies have been updating their privacy agreements while notifying customers about the changes.
“Organizations that are subject to GDPR, those that are offering goods and services into Europe, are going through and revamping their privacy policies,” said Sanchez. “That’s why you see all these companies releasing new privacy statements and privacy policies in the last couple of weeks. One of the requirements of GDPR is that organizations have to have a legal basis for processing. That means that there has to be a legitimate reason why the organization is allowed to use and process the personal data on the European data subjects, so we also see a lot of activity with organizations going through and updating consent language, or documenting other legal bases of processing if they’re not using consent as the basis of processing. I think that’s something accountants can help organizations update their legal basis of processing and assist with the documentation associated with that activity.”
Some of the main requirements of GDPR include the right to access, which gives people the right to obtain their data and to know how it’s being handled; the right to rectification, allowing citizens to amend and correct their personal data; and the right to erasure, also known as the right to be forgotten, permitting subjects to request deletion of their related personal data.
Ready or not, the GDPR takes effect Friday, so companies are scrambling now to comply as best they can.
“The European privacy authorities have all said there’s not going to be an extension,” said Sanchez. “One of the privacy authorities stated that companies have had two years to implement this. That was their two-year grace period, and there’s not going to be any additional grace period, but I think what we’re seeing in reality is many companies are not going to be 100 percent compliant by the deadline, so this exercise of obtaining compliance is going to be an ongoing activity.”
Many businesses in the U.S. have never heard of GDPR or only heard about it recently, so it’s not surprising the level of preparedness is low in this country.
“My experiences with companies in the United States is the awareness started ramping up in late 2017,” Sanchez said Thursday. “Starting in early 2018, we saw the acceleration of awareness, and companies are trying to rush through this. But still a lot of organizations aren’t going to be compliant by tomorrow, and we’re expecting to see the activity of organizations that are getting to compliance continuing for many more months.”
Businesses not only have to worry about their own compliance with the new data privacy rules, but how well their business partners are complying as third parties who handle their customers’ data.
“The data controller is the organization that receives the data from the individual, but all of the data processors, which could be vendors to the data controller, all have to comply as well,” said Sanchez. “One of the things we’re seeing now as well is every company is sending letters to every one of their vendors asking them about their compliance with GDPR, asking them to sign privacy addendums. You can imagine all of the different companies and all of the different vendors — we’re talking about millions of these requests going around right now — asking organizations to describe their controls or commit to comply with GDPR. That effort alone is going to take a lot of time to evaluate all those vendor relationships. That’s definitely one I’m seeing go past the deadline for many companies.”
However, companies that decide to ignore the new requirement could find themselves facing heavy penalties. “The fines are enormous,” said Sanchez. “The European authorities have the ability to fine up to 4 percent of global revenue. The maximum fine is the greater of 20 million euros or 4 percent of global revenue. That gets people’s attention. That can be a big number, and we do expect to see the European authorities open investigations and actively enforce compliance. That’s one of the things where there’s a little bit of wait and see as to what happens starting tomorrow. The European authorities have hinted that they’re intending to actively enforce GDPR.”
GDPR Misconceptions
Robert Cattanach, a partner at the international law firm Dorsey Whitney and a former trial attorney at the Justice Department, has been closely watching developments with the GDPR and believes there are many misconceptions with it.
“Some common misperceptions being heard around the U.S. and Canada include:
“If I don’t have operations in Europe, it doesn’t apply. Wrong. Any U.S. company offering goods or service to EU residents — i.e., anyone with a website — is likely required to comply,” Cattanach said in a statement.
“If I am covered by the GDPR I have to appoint a Data Protection Officer (DPO) in the EU. Wrong. A U.S. company’s obligation to appoint a DPO, or even a designated representative, is a complex and highly fact-depedent analysis,” Cattanach said.
“If I am not covered by GDPR I don’t have to update my Privacy Policy. Wrong. A lot has happened in the U.S. since companies started adopting boilerplate Privacy Policies without really understanding what they were committing to do, and not to do,” Cattanach said. “Regardless of whether you are covered by GDPR, basic principles of good information governance mandate a careful look at your privacy policy and terms of use on your website. The biggest risk: overstating who you share your data with. Virtually all websites employ third-party data analytic services, which often open the door to opaque gathering,mining, and trading of a person’s data in ways the website owner may not understand at all — and often conflicts with commitments made to customers and website visitors.”
“If I’m a small to medium-sized U.S. company, there’s virtually zero chance of any enforcement action against me so i can just wait until we understand better how it’s all going to work. Maybe — maybe — right. EU regulators will likely target the larger companies, especially U.S. tech companies, at first but GDPR allows private citizens to lodge complaints, and even bring class actions,” Cattanach said. “All it will take is one disgruntled customer or employee whistle blower to spotlight someone who thought they could fly below the radar for a few years. If your appetite for risk is voracious, you might avoid detection for a while. But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking.”