skip to main content



The development of innovative technology moves at the speed of light. We can help you keep up with the specialized needs of this ever-evolving industry. Discover what we can do for you with our top-level advisory, audit, and tax services designed for technology companies.

Playing Catch-Up with the General Data Protection Regulation

Playing Catch-Up with the General Data Protection Regulation

Finally, after two years of waiting, Europe’s General Data Protection Regulation takes effect starting today, May 25.

Beyond just Europe, the regulation is expected to reshape how global organizations manage, share and protect their users’ personal data. Many organizations across the world have scrambled to be ready. But based on public statements from companies and client feedback, it is clear that many companies are still not in compliance.

Still, with all the high-profile data breaches and misuses we have witnessed in the last few months; i.e. Equifax and Cambridge Analytica, global businesses are taking GDPR seriously.

Not knowing the extent and depth to which the EU will enforce GDPR, the potential fines of up to 4 percent of global annual revenue or 20 million euros should still inspire an immediate need to review and subsequently adjust data privacy and protection programs. As a result, companies will have to restructure how they handle data, and, if they do not have a cyber infrastructure that is sound, they will have to rebuild from the ground up including their applications.

Even if the GDPR does not directly affect your organization, the requirements and guidelines contained within can help any organization obtain resilient data privacy and protection.
Who is in compliance?

The answer differs based on several factors. Over the past two weeks there have been at least four distinct studies with very different results.

On May 21, a new GDPR study carried out by the Ponemon Institute found that 40 percent of the companies surveyed would not be ready.
A Crowd Research Partners report drawn from the Information Security Community on LinkedIn, says that only 40 percent of the organizations surveyed would be fully compliant by today’s GDPR deadline.

A World Federation of Advertisers (WFA) survey released on May 23 stated that 95 percent of respondents planned to be fully compliant by the deadline, of which 74 percent said they believe their company would likely be fully compliant by the deadline, with 42 percent of those respondents saying they would definitely be.

A Netsparker GDPR survey of 300 senior executives found that only 2 percent of those surveyed said that they do not expect to be compliant by today’s deadline.
The various survey results indicate that there is still much confusion around GDPR.

For those organizations that are playing catch-up with GDPR, the first step is to realize that they will need their customers permission to collect and process their data. This includes internal tools used to share or analyze the data internally, exclusive of tools that encrypt the data end to end.

The steps should be prioritized by risk and execution complexity within your organization.

  • Revise your procedures that define how you are going to handle an individual's request for erasing or rectifying inaccurate data. Executing this process will take the longest time so it should be prioritized.
  • Review your contracts with third parties. Their compliance is your risk exposure so you need to make sure you ensure their compliance. 
  • Review and understand how you process your customer data mapping the data processing activities across the business processes. This activity, previously put on the back burner, needs to be moved up. It is a compliance activity not a systems analysis activity. It simply isn’t an option anymore.
  • Revise your data security practices and systems to be in compliance with GDPR. The core initiative for meeting EU GDPR compliance is to protect user data. If you have not already, you need to take inventory of your data and map your data to protected EU GDPR categories. Most importantly once you have the knowledge of where your data is and how is it being used a prudent step would be to also implement a data leak prevention tool and policy to enforce GDPR systematically by late spring of 2018.

Please click here to read the entire article originally published by Information Management.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.