• Register
Return to: Home > News > EU companies late on implementing biggest shake up of data protection laws

EU companies late on implementing biggest shake up of data protection laws

General Data Protection Regulation (GDPR) will come into force in the European Union (EU) member states on 25 May 2018, affecting the way in which all organisations collect and store personal data.

GDPR will apply to any organisation (including charities) holding or processing EU personal data and it has been widely described as the biggest shake up of data protection laws for 20 years. The original Data Protection Act 1998 only placed obligations on data controllers, but the new law will also apply to data processors, which will have significant regulatory exposure for companies. The GDPR will have 80 requirements, including consent of information, and will apply to any company offering goods or services to the EU even if there is no physical presence.

All contracts involving the processing of personal data must be in writing and, in order to monitor this, businesses are required to appoint a data protection officer. According to Deloitte’s report GDPR Vision and Approach it is estimated 28,000 new data protection officers will be required in Europe. Data controllers or processors have 72 hours to report the data breach to the relevant authority.

There are a number of aspects in GDPR regulation that will take considerable time for some organisations to achieve such as governance, risk and assurance capabilities, as well as technical and data protection skills. And according to BDO legal counsel Odeline MacDonald, it is generally considered that about half of companies affected by the GDPR will not be in full compliance with its requirements by the end of 2018.

Van Havermaet (member of Morison KSi) assistant legal consultant Vincent Loenders said that accountancy firms will be required to adapt their way of working, internal organisation and security.

“Unfortunately, we have the impression that the majority of the accounting firms will be unprepared,” Loenders said. “Also we have noticed that most companies do not fully understand the importance of GDPR and the risks with regard to these new regulations. A lot of companies still think the GDPR will not be applicable to them.”

The maximum fine that the ICO can currently impose is £500,000 (USD $647,000) per breach and under the GDPR the penalties of failing to comply with the new laws could reach a maximum fine of €20m (USD $23.8m) or 4% of global turnover, whichever is greater.

Loenders said: “Very severe administrative fines can make a company go bankrupt. There is always the risk that the supervisory authority will spontaneously investigate your company, or the possibility that a dissatisfied customer or employee will file a complaint. Therefore it is quite likely that every company will be inspected at some point.”

There has been a lot of attention directed lately at the considerable fines, MacDonald explained, but companies should rather focus on the overall changes, such as the accountability of companies controlling or processing EU personal data.

“The reputational damage as a consequence of a serious privacy breach or failure is likely going to be much greater or costly,” she said.

Large multinationals have been preparing already but smaller businesses are yet to put in place the processes and expertise required. MacDonald explained that businesses will need to move from a mind-set of compliance to a mind-set of commitment, to manage data carefully and ethically. Also, GDPR demands that personal information is processed with data minimization and storage limitation.

Van Havermaet began the implementation of GDPR-specific requirements six months ago and has raised data security awareness for both clients and staff within the organisation.

Loenders commented on the process of implementation: “We charted the information flow, how the information is received, what we do with it, where we store it and with whom it is shared, resulting in a production process. We are currently cross-referencing the requirements with the steps in our production process. We will then check if we are compliant, and if not, we will adjust.”

Yet Loenders pointed out that there are not many publically available practical guides or news on how to actually implement GDPR.

“This is an intimidating challenge, and it can be difficult to know where to start. It is important that businesses, regardless of their size, get their act together and start preparing for GDPR and do not wait until May 2018,” MacDonald said.

Loenders concluded: “There isn’t much time left so if you still have to start now, you are already too late.”

Top Content

    Keeping accounting standards fit for purpose

    While at the IFRS Conference: Americas in Toronto in November, the national standards setters of the USA and Canada, along with the International Accounting Standards Board, talked to The Accountant about the evolution of corporate reporting and the influence of digitalisation. Vincent Huck was on the line

    read more

    Tax avoidance looks like a side show: compared to total anonymity

    Paul Beckett, senior counsel at MannBenham Advocates, talks to Carlos Martin Tornero about tax avoidance and human rights, and how orphan structures, marketed by accountants, make the super-rich anonymous and unaccountable for their actions

    read more

    France’s next revolution: boosting the economy, with advisory backing

    As French minister for the economy and finance, Bruno Le Maire took the stage at the final plenary session of the 72nd congress of the French Institute of Chartered Accountants (Ordre des Experts-Comptables) in Lille, he faced a somewhat hostile audience who had booed government initiatives during previous speeches. But the well-prepared minister told the French profession what it wanted to hear and left with a standing ovation. Whether the government will deliver what he promises remains to be seen. Vincent Huck reports

    read more

    Comment: Nine seconds to make or break

    Time is relative. When Usain Bolt runs 100 metres in a little over nine seconds, time flies and feels like a fleeting instant of dream. But, when six professionals sitting on a panel meet a question with deafening silence for nine seconds, then time painfully drags on in embarrassment.

    read more
Privacy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.