The General Data Protection Regulation (GDPR) became effective May 25, 2018, and introduced strict rules for the protection of the personal data of EU citizens. GDPR expanded the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. Under this law, U.S. companies have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business – even online – with EU data subjects.
Companies are experiencing these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.
It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. It will require changes to applications as well as changes to contracts and third-party relationships.
Internal audit plays a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions, and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.
Key requirements of the regulation include:
Ask these key questions to start the planning process for GDPR compliance:
To learn more about GDPR, read and download Protiviti’s GDPR FAQ Guide. Here are a few articles we have compiled related to GDPR:
GDPR: Legitimate Interest vs. ConsentHow Is GDPR Enforced? Who Resolves Disputes? This Detailed Podcast Offers Answers
Knowledge Is Power: What Higher Education Institutions Must Know About GDPR Compliance Risk