Know your security: GDPR misconceptions abound

By Jessica Salerno, OSCPA senior content manager

Carly_DevlinIf you haven’t heard much from your organization on the impending impact of the EU General Data Protection Regulation (GDPR), you’re probably not alone.

“It is not uncommon for folks who might not be directly involved in the initiative to be surprised by it,” said Carly Devlin, managing director at Clark Schaefer Consulting. “And I think that’s definitely a common theme: a lot of the smaller and mid-size organizations are taking a wait and see approach. They might not have started compliance efforts yet.”

For those unfamiliar, GDPR is a new set of rules that went into effect in May expanding the rights EU citizens have over their data. For a more in-depth look at GDPR, check out our blog post. Devlin will speak with Jeffrey Pavelschak, director at Clark Schaefer Consulting, on GDPR at the Aug. 24 Financial Institutions Conference in Columbus.

“We’re planning to cover components of the regulation and how it could potentially affect accounting professionals,” Devlin said. “We want to go over some common misconceptions around the regulation and how this could lead to more regulations concerning data privacy.”

Devlin said a common question she gets from accountants is if this regulation applies to their organization and if regulators will go after small companies for noncompliance.

Although she said it’s likely EU regulators will target larger companies, like Google and Facebook, GDPR is different from past regulations because it allows private citizens to lodge complaints and even bring class action lawsuits.

“All it takes is one disgruntled customer or employee to make an organization that thought it could fly under the radar face scrutiny,” she said. “And the maximum fine is 4% of global revenue or 20 million euros, whatever is greater.”

For now, Devlin said business leaders should educate themselves their organization on GDPR to prepare for whatever lies ahead.

“No one is really sure exactly how it’s going to play out,” she said. “We can assume the big U.S. tech companies are going to be under scrutiny, but we don’t know who regulators are going to go for after that. So if you’re not going to make the investment to completely comply with the regulation, you at least need to know how to get there and do a cost and benefit analysis. Make sure that it’s a decision you want to make or a risk you want to accept based on those fines.”

Register for the Financial Institutions Conference in person or via webcast.

Leave a comment