skip to main content


International Business

International tax is ever-changing, with complex rules, evolving regulations, and a need for local focus. Our international tax advisors provide cross-border tax solutions for multinational middle market businesses.

The EU's GDPR Regulation: Are You Prepared for the May 25th Deadline - And What Comes Next?

The EU's GDPR Regulation: Are You Prepared for the May 25th Deadline - And What Comes Next?

Many middle market companies are unaware of the impending May 25 deadline to comply with the European Union's (EU) General Data Protection Regulation, better known as GDPR. The EU passed GDPR two years ago to provide enhanced privacy and data protections for its citizens, and beginning May 25, 2018, companies that process personal data of EU residents are subject to GDPR - including those based in the US. The ensuing fines for non-compliance with GDPR can be up to 20 million Euros ($24 Million USD), or 4% of the company's worldwide annual revenue.

Although personal privacy has been an important topic in the EU since the 1990s, privacy has not been a priority for most US-based businesses. Accordingly, GDPR represents a new set of privacy requirements that many IT shops in the US have never dealt with before.

It may have been feasible for US businesses to largely ignore GDPR since its requirements apply only to EU citizens. However, Facebook's recent Cambridge Analytica debacle, where a political data firm inappropriately utilized over 50 million Facebook accounts, may dramatically speed up the arrival of similar privacy regulations here in the US. Even if your company is not subject to GDPR, UHY experts believe it won't be long before similar legislation arrives in the US. Address privacy in your business now by integrating privacy leading practices to create competitive advantage.

What Does GDPR Require?

  • Track an individual's opt-in consent before collecting data, including the simplification of public-facing privacy policies.
  • Support users' Right to Be Forgotten, Right to Data Portability and Right to Object Profiling.
  • Notify authorities within 72 hours of a data breach.
  • Appoint Data Protection Officers, Data Controllers and Data Processors.
  • Keep an inventory of all personal data that has been processed.
  • Implement Privacy by Design (a framework to incorporate privacy controls) and Data Protection Impact Assessments (DPIA) throughout the data lifecycle.

Are You Prepared?
With the deadline looming, there is an immediate need for organizations to review and adjust their data privacy and protection programs. To build an effective GDPR roadmap, start with the following questions:

  • Do we collect and/or process the personal data of EU citizens?
  • Do we know all the places within our organization where we store consumer data?
  • Are we prepared to respond to requests from EU citizens asking about data we store about them?
  • Do we know how to purge all data on an EU citizen if they exercise their Right to be Forgotten from our systems?
  • Are our security controls effective to adequately protect, detect and respond to potential private data breaches?
  • If we were to experience a data breach, could we alert authorities within 72 hours and provide them with a data map of our systems?
  • Have we conducted a Privacy Impact Assessment (PIA) to identify and create mitigation protocols for privacy risk?
  • Have we updated our Privacy Policy to comply with GDPR requirements?
  • Are we implementing privacy by design, proactively integrating privacy controls into our systems by default?

How Can UHY Help?
UHY is finding many middle market companies are unaware of GDPR's requirements and may not have the compliance and legal resources needed to implement a plan. The cybersecurity and privacy experts at UHY Advisors can assist organizations by:

  • Performing a GDPR readiness assessment
  • Designing an action plan to obtain GDPR compliance
  • Implementing your GDPR roadmap
  • Sustaining compliance

Tackling GDPR requires the right combination of modifications to business processes and supporting technology. Don't wait to address your GDPR compliance requirements; for more information contact UHY Advisors at one of our many locations.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.