The EU General Data Privacy Regulation (GDPR) goes into effect on May 25, 2018, and contains important new operational requirements concerning data minimisation, accuracy, accountability, purpose and storage limitations, and data protection that will require impacted organisations to begin making technology and administrative changes far in advance of the deadline. The GDPR also mandates that companies demonstrate compliance, which will require the creation of policies, procedures, and documentation mechanisms.
Companies doing business with or in the EU or marketing goods and services to EU residents must update how they collect, handle and secure information that identifies a natural person, such as name, address or email address, or they risk facing heavy fines and penalties. Penalties may even be criminal in nature and even companies that are not located in the EU may be impacted as their EU client companies and suppliers may require compliance as a condition of continued business.
The data protection principles in the GDPR set out the main responsibilities for organisations. They are similar to those in the current Data Protection Directive (DPD) with added detail and a new 'accountability' requirement. The GDPR contains many dependencies and not all requirements apply to all companies. Many of the current DPD provisions are carried forward, some are strengthened, some are relaxed or replaced, and new requirements and recommendations are included. Experienced guidance is critical in order to achieve timely compliance.
BDO offers services to help companies achieve compliance with the GDPR including GDPR compliance assessments, privacy engineering, policy & procedure development, and much more.