GDPR’s coming, but is anyone ready?

Since the start of the year, Brandon Gunter has fielded a steady stream of calls from business executives trying to figure out how to comply with the EU’s new data privacy rules.

With a late May deadline looming to comply with expansive data privacy standards outlined in the General Data Protection Regulation, many are just realising they’re at risk, said Gunter, a senior manager specialising in IT solutions at the accounting and consulting firm Moss Adams.

 “Whether they’ve had their heads in the sand or they haven’t known what to do, they’re coming late in the game,” Gunter said.

Those companies contacting Gunter are far from alone in underestimating the deadline. Two recent surveys of business executives estimate that as many as a third of global companies haven’t begun to ready themselves, and a quarter of EU companies are at risk of racking up fines after GDPR’s enforcement date of 25 May.

GDPR will affect companies all over the world, not just those in the EU. Companies found in violation of GDPR rules could face severe punishment, with maximum penalties of €20 million or 4% of annual global revenue.

“It’s a very hefty fine should you not be prepared,” Gunter said.

Regulations wide-reaching

GDPR is the latest iteration of the EU’s data privacy rules, and it may require major data system overhauls to ensure EU consumers’ private information is protected and can be excluded from large data sets.

Those with clients, vendors, and consumers in EU-member nations will need to ensure personally identifiable data is protected and offer ways for people to opt out of having their information collected and used for marketing or other purposes. Companies must notify supervisory authorities within 72 hours of personal data breaches.

Deadline dodgers

Global business leaders are worried about data privacy and protection, but they aren’t making the strides needed to be ready when GDPR goes into effect.

Nearly 80% of executives identified data privacy as a top-of-mind concern, but only a third said they have a GDPR compliance plan, according to an EY survey of 745 executives from 19 countries. The survey was released on 31 January.

A separate report from cybersecurity firm Senzing found that even companies in the EU aren’t ready, with nearly a quarter of businesses at risk of facing big fines.

The reality is worse outside the EU, according to the EY report. An estimated 27% of businesses have plans in play to comply in the Africa and the Middle East, while 13% of companies in the Americas and 12% in Asia-Pacific nations have a plan in place for GDPR compliance.

Risks of avoidance

Accountants, whether in-house or in consulting roles, need to make sure company leaders understand what a significant shift GDPR is for global businesses, said Torpey White, CPA/CITP, CGMA, a partner at the CPA and consulting firm Wipfli. 

White’s advice: Advocate for an immediate analysis of how and where data is stored, and whether any information about EU-based employees, consumers, or vendors is being protected to the extent required by GDPR.

Companies thinking of acquiring additional business also need to pay close attention — any gaps in protection could become a major liability after the May deadline, he said.

If a company is still slow to act, emphasise the financial risk a company faces, White said.

“Once you start talking financial penalties and fines, people start paying attention,” he said.

Why the delay 

One reason so many companies haven’t taken it seriously is confusion about the regulations themselves and a lack of understanding about data security issues, Gunter said.

Mention information technology and data sets, and eyes begin to glaze over in boardrooms, he said.

There’s also been confusion around GDPR requirements, with the EU still issuing guidance of what protections will need to be in place.

Many protections needed aren’t simple fixes, such as adding a general consent agreement to online portals. Companies will need to determine where all of an individual’s personally identifiable data resides, and how to ensure it is not used in ways the consumer hasn’t consented to.

“You can’t just put in a firewall and think you’re good,” Gunter said.

GDPR is where data security and privacy regulation is headed. Having an idea where data is stored, and how third-party vendors are storing sensitive information, will do nothing but help companies prepare for the future, White said.

It’s not that the companies are willfully ignoring the requirements, Gunter said. Part of the problem is that the regulations have been a bit nebulous, he said.

Companies that already have robust data protection systems in place and meet standards endorsed by the International Organization for Standardization (ISO) should be able to incorporate fixes to meet GDPR requirements in time, Gunter said.

“If you’ve already got that, you’re going to be miles ahead,” he said.

But for companies that don’t, outside consultants may be needed.

GDPR applies to advisers, too

Accounting and consulting firms also need to pay attention to GDPR, not just advise their clients about it, White said.

Firms doing tax or other types of work for global companies can very well have personal information of EU-based vendors or employees, and firms need to ensure that information is held up to the privacy and protection standards being dictated by the GDPR, he said.

“If we want to hold ourselves out as knowing what best practices are, then we need to be doing it,” White said.

— Sarah Ovaska-Few is a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.