News & Events Listings


Many middle market companies are unaware of the impending May 25 deadline to comply with the European Union's (EU) General Data Protection Regulation, better known as GDPR. The EU passed GDPR two years ago to provide enhanced privacy and data protections for its citizens, and beginning May 25, 2018, companies that process personal data of EU residents are subject to GDPR - including those based in the US. The ensuing fines for non-compliance with GDPR can be up to 20 million Euros ($24 Million USD), or 4% of the company's worldwide annual revenue.

Although personal privacy has been an important topic in the EU since the 1990s, privacy has not been a priority for most US-based businesses. Accordingly, GDPR represents a new set of privacy requirements that many IT shops in the US have never dealt with before.

It may have been feasible for US businesses to largely ignore GDPR since its requirements apply only to EU citizens. However, Facebook's recent Cambridge Analytica debacle, where a political data firm inappropriately utilized over 50 million Facebook accounts, may dramatically speed up the arrival of similar privacy regulations here in the US. Even if your company is not subject to GDPR, UHY experts believe it won't be long before similar legislation arrives in the US. Address privacy in your business now by integrating privacy leading practices to create competitive advantage.

What Does GDPR Require?

  • Track an individual's opt-in consent before collecting data, including the simplification of public-facing privacy policies.
  • Support users' Right to Be Forgotten, Right to Data Portability and Right to Object Profiling.
  • Notify authorities within 72 hours of a data breach.
  • Appoint Data Protection Officers, Data Controllers and Data Processors.
  • Keep an inventory of all personal data that has been processed.
  • Implement Privacy by Design (a framework to incorporate privacy controls) and Data Protection Impact Assessments (DPIA) throughout the data lifecycle.

Are You Prepared?
With the deadline looming, there is an immediate need for organizations to review and adjust their data privacy and protection programs. To build an effective GDPR roadmap, start with the following questions:

  • Do we collect and/or process the personal data of EU citizens?
  • Do we know all the places within our organization where we store consumer data?
  • Are we prepared to respond to requests from EU citizens asking about data we store about them?
  • Do we know how to purge all data on an EU citizen if they exercise their Right to be Forgotten from our systems?
  • Are our security controls effective to adequately protect, detect and respond to potential private data breaches?
  • If we were to experience a data breach, could we alert authorities within 72 hours and provide them with a data map of our systems?
  • Have we conducted a Privacy Impact Assessment (PIA) to identify and create mitigation protocols for privacy risk?
  • Have we updated our Privacy Policy to comply with GDPR requirements?
  • Are we implementing privacy by design, proactively integrating privacy controls into our systems by default?

How Can UHY Help?
UHY is finding many middle market companies are unaware of GDPR's requirements and may not have the compliance and legal resources needed to implement a plan. The cybersecurity and privacy experts at UHY Advisors can assist organizations by:

  • Performing a GDPR readiness assessment
  • Designing an action plan to obtain GDPR compliance
  • Implementing your GDPR roadmap
  • Sustaining compliance

Tackling GDPR requires the right combination of modifications to business processes and supporting technology. Don't wait to address your GDPR compliance requirements; for more information contact UHY Advisors at one of our many locations.