The European Union (EU) will soon experience the biggest change to data protection laws in 20 years with the introduction of the General Data Protection Regulation (GDPR). The GDPR will be implemented May 25 and will replace the Data Protection Act 1998. The law affects accountants in the EU significantly, but the US will be affected as well. Here’s what you need to know about the GDPR.
What It Is
Cybersecurity isn’t only an increasing priority for the US. The purpose of the GDPR is to “provide more robust and up-to-date regulations for businesses to follow when handling customer data.” Accountants in the EU who handle client data will have to overhaul their processes of collecting and storing client data. Some of the changes from current laws include:
- Recording how and when client consent to store data was gained
- Client consent to store data must be “specific, informed, and unambiguous”
- Clients will have the right to opt out of any automated evaluation
One of the most significant changes is the introduction of the “right to be forgotten.” Clients will have the right to request that their personal data be deleted. If the client chooses to withdraw their consent for a practice to store their data, the practice must delete their information within 48 hours at no charge. The practice must also notify all third parties storing the client’s data that consent has been withdrawn.
Additionally, any practices doing global business or using global software (especially for storing or transferring data) will have to make sure they remain in compliance once the GDPR rolls out.
How It Will Affect the US
Evidently, US companies doing business in the EU, or that are based in the EU, have to be compliant with the GDPR. But even businesses that aren’t as directly connected to the EU will have some considerations to make.
Any US business that markets their services or products via the internet needs to be aware of what the GDPR includes. Here are the things those businesses need to consider:
- Data collected from a customer in the EU has to be in compliance with the GDPR if the data is collected while they are physically in the EU. If they are not in the EU when their data is collected, the GDPR does not apply.
- The GDPR doesn’t only apply when a financial transaction takes place. It applies to personal data as well—even if that data is only collected for something like a survey.
Here’s where it gets complicated. A business marketing broadly over the web that collects information from people voluntarily all over, even the EU, will not be affected by the GDPR. But as soon as someone in the EU is specifically targeted, by including language and references to the EU, a business has to be in compliance.
You can learn more about which cases and apply and which don’t here.
The most important takeaway for those in the US is that if you are a US company who does business over the internet, you need to be aware of the details of the GDPR. Same goes for US accountants who help clients from the EU or help businesses who market globally.
Keep in mind, the GDPR is being implemented next week, and fines will be hefty for those not in compliance.
Want to learn more about how you can improve cybersecurity within your practice? We’re offering free CPE courses on the subject here.