Find Your Specialist


Contact Us

Go Back

The Countdown to GDPR – Will you be ready?

March 16th marks ten weeks left before the May 25 deadline for the European Union’s (EU) General Data Protection Regulation (GDPR).   GDPR unites all of Europe with one data protection law, replacing the prior European Commission’s Data Protection Directive and the UK’s Data Protection Act of 1988. Ian Singer, the lead IT Assurance Partner for UK CPA firm PKF Littlejohn, explained, “Most of the data protection laws are 20 years old. Clearly the world has changed radically in that time, particularly with digital marketing.”

Much like the recent update to the U.S. tax law, GDPR is a lengthy law with a great deal of grey area left to interpretation.  One item that is crystal clear is the enormous penalties outlined in the law, which range up to 20 million Euros or 4% of annual global revenue. Another clear aspect of the law is that it applies to any company that captures or manages data regarding citizens of the EU, regardless of where the company is based.

The core concept of GDPR is individual rights. The law gives citizens of the EU greater control and ownership of personal data that businesses capture, and outlines the rights of the citizen pertaining to that data. These individual rights include:

  • The right to be informed –Ensures consumer data isn’t collected without the individual being notified
  • The right of access – Provides citizens with previously unwarranted access to personal data collected by an organization
  • The right to rectification – Allows users to correct misinformation if noticed in collected data as part of the “right of access”
  • The right to erasure – Also known as the “right to be forgotten,” giving citizens the ability to terminate a business relationship and all associated records under pressing circumstances.
  • The right to restrict processing – Should individuals wish to pause a business relationship rather than take the “erasure” route, they can halt personal data collection and analysis
  • The right to data portability – Transfers all data ownership to the individual, meaning businesses cannot hold data “hostage” and restrict data from being viewed by other organizations (competitors, for instance) should the individual wish for it to be shared.

Demonstrating Compliance

Many U.S. companies have been caught in an extreme time crunch attempting to comply with this law’s requirements by May 2018.  If you haven’t performed your due diligence yet, how do you begin?

Frazier & Deeter’s Process, Risk & Governance Partner Gina Gondron suggests, “Look at what you are already doing to protect consumer data. It’s an overwhelming law and standard to some, but when you peel back the layers, the purpose is how you are handling the data of your customers. It’s not something that should be that foreign.”

Gondron also notes that organizations with SOC reports (System and Organization Controls Report) have an excellent starting point to use as the basis for their GDPR compliance.

In order to demonstrate compliance, consider these steps:

  1. Get an outside expert to help you review and map your existing data management controls
  2. Identify gaps, especially in the area of the right to be forgotten
  3. Identify a Data Protection Officer
  4. Review data breach notification procedures, or develop them if not already in place
  5. Develop employee training materials specific to managing customer data

Given the lack of guidance and any sort of certification, organizations that may be challenged under the new law need to be able to demonstrate an attempt to comply.

As Singer puts it, organizations should be ready to “show you have a process you are following, and that you are taking a serious view of this. You should be having good conversations, with the right people, including your Data Protection Officer. At the heart of those conversations you must have the rights of the individual, not the company.” The concept of privacy by design, rather than as an afterthought, is the goal.

Have questions about your status and how to proceed with this rapidly approaching compliance deadline? Listen to our webcast, or talk to one of our data protection advisors.

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.


Functionality cookies are cookies that support features of the Site, such as remembering your preferences.


These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

Tracking or Targeting

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.