Rocco Galletto
The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and contains important new operational requirements concerning data minimisation, accuracy, accountability, purpose and storage limitations, and data protection that requires organisations to begin making technological and administrative changes to meet its requirements. The GDPR also mandates that companies demonstrate compliance, which requires the creation of policies, procedures, and documentation mechanisms.
Companies doing business with or in the EU or marketing goods and services to EU residents must apply GDPR standards to how they collect, handle and secure information that identifies a natural person, such as name, address or email address, or they risk facing heavy fines and penalties. Penalties may even be criminal in nature and even companies that are not located in the EU may be impacted as their EU client companies and suppliers may require compliance as a condition of continued business.
The data protection principles in the GDPR set out the main responsibilities for organisations. They are similar to those in the Data Protection Directive (DPD) with added detail and a new 'accountability' requirement. The GDPR contains many dependencies and not all requirements apply to all companies. Many of the current DPD provisions are carried forward, some are strengthened, some are relaxed or replaced, and new requirements and recommendations are included. Experienced guidance is critical in order to achieve timely compliance.
BDO offers services to help companies achieve compliance with the GDPR, including compliance assessments, privacy engineering, policy & procedure development, and much more.