Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Contact a Specialist

«  View All Posts

GDPR: What Does It Mean for US Organizations? Blog Feature
MARIA SANCHEZ FLORES

By: MARIA SANCHEZ FLORES

Print/Save as PDF

GDPR: What Does It Mean for US Organizations?

Privacy Assessments

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was created to best uphold the fundamental personal information rights of individuals and further unify the member states of the EU in their endeavor to manage and protect data. The GDPR’s predecessor, the Data Protection Directive (the Directive) was in place to afford similar protections to data subjects. However, since the Directive’s adoption in 1995, we’ve seen tremendous changes to the technology landscape and a constancy of cross-boarder data transfers, and we’ve recognized that the protections offered through the previous legislation were antiquated and obsolete.  With the introduction of the GDPR, individuals have been empowered like never before, and organizations bound to the new framework are starting to feel the weight of that.

How it will affect US-based companies

The US stands to be affected directly by the GDPR because the new privacy model applies to any enterprise in the world that targets the European market in offering goods or services or profiles European citizens, and as a result, must process the personal data drawn from those member states. All companies processing EU personal information will have until May 25, 2018 to comply with the reform.  Many of the companies that will be affected directly already have existing policies and procedures around privacy due to their need to be compliant with the previous Directive.  It is important for these companies to note that the GDPR added new protections for EU data subjects that will require revisions of their current privacy and compliance programs.

Data Breach Notification

The GDPR’s breach notification requirements are far more prescriptive and demanding than the Directive and will likely require most US-based companies to amend their breach notification policies and procedures to comply with the GDPR.  In instances where personal data freedoms and rights may be violated, data processors must notify data controllers with undue delay and data controllers must notify the supervisory authority within 72 hours.  The documentation and communication of breaches must be delivered in an outlined form and adequately detail certain key information about what’s occurred and how it’s been handled.  When the timing obligations are not met, an organization must justify delays to said supervisory authority.  It seems as though the GDPR’s battened down the hatches of the upstream and downstream obligations and it may require organization’s to slightly overhaul their data sharing relationships.  However, a likely benefit to come from this effort is that companies will be able to simplifytheir policies and procedures so that they uniformly overarch the expectations of all EU member states US-based and will be able to dispatch a single notice.

Data Protection Officer

Under the GDPR, data controllers and processors may designate a data protection officer (DPO) where the main activities of a company involve monitoring of data subjects on a large scale or when the company conducts large-scale processing of special categories of personal data.  This new requirement can be met with a company’s current privacy or compliance professional.  There is still a great deal of uncertainty as to what the role of the DPO will encompass and what the parameters on appointment are.  Further guidance is to be issued on the matter that American companies should keep an eye out for.

Consent

Under the old Directive, companies were able to rely on implicit and “opt-out” consent in some circumstances.  Under GDPR, silence, pre-ticked boxes, or inactivity will no longer constitute consent. Data subjects must confirm choice by a freely given, specific, informed, and unambiguous statement or a clear affirmative action.  Like with the Directive, GDPR has distinct requirements for processing special categories of personal data, but has added more to the list.  Data subjects must be given the right to withdraw consent at any time.  Lastly, the GDPR has introduced restrictions on the ability of children to provide consent without parental authorization. US-based

Cloud Service Providers Navigating through the GDPR

Data Transfers Across Borders

Companies will be able to transfer data to third countries, territory, or a specified sector within a third country, or international organization so long as they have been granted an adequacy designation. US companies should know that the designation or retraction of the adequacy award is binding in all EU member states.

Right to be Forgotten and Data Portability

The GDPR introduced two new rights for data subjects. The right to be forgotten was codified to allow individuals to request the deletion of their personal data.  The GDPR also gives the data subjects the right to receive data in a common format and to have their data transferred to another controller if the data subject so requests.

Vendor Management

Under the GDPR, the controller is liable for the actions of the processors they choose. It is important that US-based companies carefully choose their processors.  A relationship between a controller and a processor should be governed by a contract. The contractual relationship should include details around the data itself, retention periods, disposal requirements, the nature and purpose of the data, etc…

Pseudonymization

Under the GDPR, personal data does not include data that does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.  US companies who familiar with HIPAA may be familiar with this concept given it’s similarities with de-identification of protected health information. The GDPR plainly endorses the use of pseudonymization and there are incentives for companies who choose to apply it to the data that they collect.  US-based companies should explore this method as an option if it is not something they currently do with the personal data they collect and/or process.

Code of Conduct and Certifications

Due to the difficult task of ensuring that each company is compliant with the GDPR, codes of conduct and certifications have been endorsed as guidance to the requirements and as proof of compliance.  US-based companies should familiarize themselves with the differences in each to ensure they choose the best one for their business model.

Enforcement and Fines

The new enforcement procedures and fines associated with the GDPR are perhaps what have most companies nervous about. The hefty fines associated with the non-compliance of the GDPR can reach the millions or even billions of dollars.  Violators will be placed in one of two tiers, with the higher tier costing violators up to over 20 million euros or 4% of the company’s net income.

Conclusion

The GDPR has revealed itself to be the highest denominator in privacy doctrine in history.  It’s greatly broadened its definition of personal data and overhauled or bolted on principles that will take some time for organizations to tackle, even if privacy-mature and familiar with the Directive.  May 25, 2018 may seem like an eternity away as we only near the end of the 2016, but be assured that the GDPR was intentionally designed with a long fuse given the necessary reform it involves.  Albeit challenging maybe for US-based companies in certain respects, the GDPR must be hailed as an awesome step in the direction of promoting the rights of natural persons and should ultimately strengthen global relations and commerce.

About MARIA SANCHEZ FLORES

Maria G. Sanchez Flores is a Senior Associate with Schellman based in Atlanta, GA. Prior to joining Schellman in 2016, Maria specialized in HIPAA/HITECH compliance audits and Privacy advisory engagements. Maria also led and supported various other projects, including business process development, legal research, internal audit services and regulatory compliance engagements. She has over 4 years of experience comprised of serving clients in various industries, primarily healthcare and privacy.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.