After years of preparation and debate, On May 25th 2018, the European Union’s General Data Protection Regulation (“EU GDPR” or “GDPR”) will go into effect and be fully enforceable.
The law’s primary objective is to protect all EU citizens’ data and privacy, as well as promoting standardization of responsibilities of in scope data controllers and processors. The regulation does not seek to impede the free movement of information in an effort to not adversely affect the EU economy.
The EU GDPR replaces Data Protection Directive 95/46/EC. Prior to GDPR, each EU member state controlled implementation and enforcement of data protection laws. Key changes from the Directive include an increase to the territorial scope and the strengthening of the data subject’s rights.
The EU’s authoritative bodies designed and passed GDPR in an effort to harmonize enforcement across the union. Due to the GDPR’s status as a regulation, as opposed to a directive, member states no longer individually decide how to implement and enforce the law. Alternatively, the Regulation explicitly states how it must be implemented and enforced.
Major changes from the Directive to the GDPR, include an increase in the territorial scope of the law. In terms of material scope, the Regulation applies to:
‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This means the regulation applies to any processing of personal data of EU citizens, whether in an automated or manual fashion. By personal data, the law means any information relating to an identified or identifiable natural person. This data includes, but is not limited to:
- Identification numbers
- Location data
- Online identifiers, such as an IP address
- Physical, physiological, genetic, mental or any other health information
- Economic, cultural or the social identity of the natural person
The old Directive was only applicable to persons or entities located within the EU. However, one of the major changes of the GDPR is that the Regulation now applies to any person or entity that processes EU citizen data, regardless of the location of the person or entity.
The Regulation applies to entities outside of the Union if the processing of personal data is related to one of the following options:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
If you, or your organization, are responsible for either the offering of goods and services or the monitoring of the behavior of EU citizens that involves the processing of their personal data, your organization will be subject to this Regulation.
Data Processing Principles
The Regulation requires that all processing of covered personal data follow established principles including:
- Lawfulness, fairness and transparency – the data is collected and processed only when the data subject has given appropriate consent, it is necessary for the performance of a contract, is necessary for compliance with a legal obligation, or is vital to protect the interests of the data subject or the public
- Purpose limitation – the information is collected solely for the purpose established and agreed upon by all parties
- Data minimization – limited to what is necessary to complete the agreed upon processing
- Accuracy – the data is ensured to be accurate, and where necessary, kept up to date
- Storage limitation – the data is kept no longer than what is necessary for the purpose for which the personal data is being processed
- Integrity and confidentiality – the data is processed in a manner that ensures appropriate security of the personal data
GDPR Impact on US Companies
Under GDPR, organizations are accountable for reporting their covered processing activities to the applicable authorities, as well as being able to demonstrate their compliance with the Regulation. To be GDPR compliant, organizations must provide evidence of:
- Data protection by design and by default
- The creation and maintenance of a record of processing activities
- Security of the processing
- Data protection impact assessments and prior consultation
- The establishment of a data protection officer
- Codes of conduct and certification
GDPR’s Severe Fines and Penalties for Non-compliance
So why is this important to US Businesses?
Outside of the desire to keep one’s customer’s personal data safe and private, US Businesses who are not compliant with this Regulation may face significant penalties: administrative fines up to 20 million Euros, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Freed Maxick Can Help Your US Business Become GDPR Compliant
Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain GDPR compliance.
More Insights and Guidance on Risk Management Issues - Click here.View full article
By: Sandra DeSimone, CPA, Supervisor
The Single Audit Act was established in 1984 for the purpose of auditing States, local governments, and Indian Tribal governments that administered federal financial assistance programs. The Office of Management and Budget (OMB) issued OMB Circular 128, and later A-133 (for non-profit organizations) to offer implementation guidance.
What is the purpose of the reforms?
The proposed reforms of OMB Circular A-133 are designed to streamline the way the federal government administers the more than $600 billion in grants annually. These changes are designed to eliminate redundant requirements to achieve better outcomes at a lower cost. The two main areas affected by these changes are:
The threshold triggering a single-audit requirement is presently $500,000 in federal expenditures. This proposal would raise that threshold to $750,000.
There are now 14 compliance requirements that must be considered during a single audit; the proposal would reduce that number to only 6 requirements.
The OMB has stated that raising the threshold as proposed would not significantly change the overall coverage of single audit dollars being tested and would reduce the audit requirement for smaller organizations expending federal funds. Also, the OMB has received feedback from auditors that some of the 14 present requirements are rarely applicable, meaning that test work can be combined with other compliance requirements to make the audit process more effective and efficient.
If you would like to learn more about these or other OMB changes, feel free to contact Freed Maxick. Connect with our experts, or call us at 716-847-2651.