skip to main content


Manufacturing & Distribution

We combine the strength of business and financial expertise with a hands-on, “shop floor” approach to solving complex business issues.


July 17, 2018


General Data Protection Regulation (GDPR) is the most prescriptive global data protection law regulating enterprises that process personal data of European Union (EU) residents. The primary goal of the regulation is to provide a set of standardized data protection laws to make it easier for EU residents to understand how their personal data is being used and allow them to raise complaints, even if they do not reside in the country where the violation occurred.

The EU adopted GDPR two years ago to provide enhanced privacy and data protections for its citizens, and effective May 25, 2018, any organization inside or outside the EU that stores, processes or touches personal data of EU residents is subject to GDPR. Potential fines for non-compliance are administered by individual member state Supervisory Authorities, and can be massive (i.e., up to 20 million Euros ($23.5 million USD), or 4 percent of the company’s worldwide annual revenue).

Many manufacturing companies have been working diligently to become more customer-centric by gathering and analyzing data on the consumers of their products. Accordingly, manufacturers have been consuming more and more data as part of these Big Data initiatives. GDPR allows manufacturers to continue obtaining, retaining and analyzing personal data, but only if consent has been obtained from the individual. Manufacturers are also on the hook for implementing appropriate cyber measures to protect this data as well.

It may appear feasible for US manufacturers to largely ignore GDPR since its requirements apply only to EU citizens and companies deemed to be doing business in the EU. However, Facebook’s recent Cambridge Analytica debacle, where a political data firm inappropriately utilized over 50 million Facebook accounts, may dramatically speed up the arrival of similar privacy regulations here in the US. Even if your company is not yet subject to GDPR, UHY experts believe it won’t be long before similar onerous privacy legislation arrives in the US.

If you collect personal data and are not complying with GDPR, you are exposed.

What are the GDPR requirements?

Under the GDPR, organizations must:

  • Track an individual’s opt-in consent before collecting data, including the adoption of simplified public-facing privacy policies. These new policies allow users to better understand when their data is being collected and what they are allowing an organization to do with their data.
  • Support users’ right to be forgotten, right to data portability and right to object profiling. These new rights empower users to take control of where and how their personal data is used and stored.
  • Notify authorities within 72 hours of a data breach. Data breach notification plans ensure effective communication to law enforcement, users and shareholders under crisis.
  • Appoint data protection officers, data controllers and data processors. These specific data protection roles and responsibilities bring unified accountability to the organization’s data privacy.
  • Keep an inventory of all personal data that has been processed. Data maps can be a powerful tool for creating transparency in knowing what data is held, where it is stored, and who it is shared with.
  • Implement privacy by design (a framework to incorporate privacy controls) and data protection impact assessments (DPIA) throughout the data lifecycle. Designing with privacy proactively reduces unnecessary data and privacy risk.

Is your organization prepared?

The GDPR is a complex regulation with severe penalties for non-compliance. Since the deadline to comply has passed, there is an immediate and urgent need for organizations to review and adjust their data privacy and protection programs. To build an effective GDPR roadmap, ask the following questions of your organization:

  • Are we considered a company doing business in the EU?
  • Do we collect and/or process the personal data of EU citizens?
  • Do we know all the places within our organization where we store personal data?
  • Are we prepared to respond to requests from EU citizens asking about data we store about them?
  • Do we know how to purge all data on an EU citizen if they exercise their right to be forgotten from our systems?
  • If we were to experience a data breach, could we alert authorities within 72 hours and provide them with a data map of our systems?
  • Have we conducted a privacy impact assessment (PIA) to identify and create mitigation protocols for privacy risk?
  • Have we updated our privacy policy to comply with GDPR requirements?
  • Are we implementing privacy by design, proactively integrating privacy controls into our systems by default?

Tackling GDPR requires the right combination of modifications to business processes and supporting technology. There is much to gain from
building an effective GDPR roadmap, but where do you start?

Conduct one-on-one interview with key stakeholders such as the Chief Technology Officer, Chief Risk Officer, Chief Information Officer and Chief Marketing Officer to review all GDPR compliance plans and documentation to assess the readiness of your organization for the GDPR. Since awareness of GDPR is often limited in manufacturing organizations, it is important to educate the entire senior leadership team on GDPR’s requirements.

A thorough action plan should include conducting a PIA, creating a data map for your organization and designing a data breach notification procedure. Conducting a PIA to identify and evaluate your organization’s privacy risks can empower you to build an action plan to remediate your GDPR compliance gaps. Creating a data map for your organization helps to understand what kind of data you’re storing, who has access to it, and where your data lives across your organization. Finally, designing a data breach notification procedure enables your data protection officer to successfully engage with authorities and notify affected data owners in under 72 hours.

Manufacturers have ramped up their data collection efforts in the past decade. Work with your key stakeholders to implement your newly designed GDPR roadmap to ensure that data is protected, governed, managed and utilized effectively in line with your organization’s strategy. This is where privacy by design can help reduce unnecessary data and privacy risk throughout the data lifecycle.

To sustain compliance, develop and facilitate training and formal reporting procedures to ensure continuous compliance and data accountability. It is strongly recommended that your organization perform bi-annual audits and monitor your system and processes to have an always up-to-date understanding of your privacy risk.

Although personal privacy has been an important topic in the EU since the 1990s, privacy has not been a priority for most US-based businesses, especially manufacturers. Accordingly, GDPR represents a new set of requirements that many manufacturers in the US have never dealt with before. Manufacturing companies can create a competitive advantage and save a lot of headache regarding fines if they address data privacy requirements in their businesses now.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.