By now, if you’re a company that handles EU citizens’ private data, chances are you’re familiar with the EU’s new General Data Protection Regulation – GDPR
However, according to the results of a recent survey by SC Media, there’s also a chance that you may not be ready.
The survey, underwritten by Guidance Software and conducted in April of this year, polled 337 IT and security professionals in the U.S. who do business in the EU and access citizens’ private data. When asked about their company’s status with regard to planning for and implementing GDPR, more than half of respondents indicated they either didn’t have a roll-out timetable or were unlikely to be compliant when it goes into effect in May.
But that doesn’t mean it’s not a priority. According to another GDPR survey conducted a few months earlier by PwC, most U.S. companies expect to spend at least $1 million on readiness and compliance. Of these, nine percent expect to spend over $10 million.
Initially adopted by European regulatory authorities in 2016, the GDPR is a strict set of requirements that will a) increase privacy requirements for organizations handling EU citizens’ data and b) simplify (in some respects) the compliance process by replacing an existing patchwork of 27 national regulations with a uniform regime throughout the EU.
Described by eugdpr.org as “the most important change in data privacy regulation in 20 years,” it not only applies to companies outside the EU, but also within the EU if they’re processing and holding a citizens’ personal data.
When happens when you comply, or don’t
Companies that do comply with requirements can benefit in several ways: via more robust and reliable processes and contractual agreements and fewer legal fees. As Information Age notes, GDPR creates greater “legal certainty,” which means that organizations will no longer need local legal counsel to ensure local compliance.
There’s also the ability to note one’s compliance to clients and prospects. Since many may not be prepared, at least not initially, this could become a significant competitive differentiator.
Companies that don’t comply may not only lose out to those who do, but can also get skewered financially. Although initial penalties for first or unintentional violations may be minimal, subsequent violations carry heavy fines of up to 20 000 000 EUR, or in the case of an undertaking, up to four percent of the total worldwide annual turnover of the preceding financial year.
The GDPR, which replaces the now-antiquated EU Data Protection Directive, has several key components. According to the American Bar Association, these include greater territorial reach (jurisdictions will be measured digitally rather than physically, which means it’ll impact more entities), expanded definitions of personal data, enhanced individual rights, greater transparency around data collection, direct and greater liability for data processors, requirements for appointing data protection officers, and — no surprise here — more stringent documentation.
By Eric Egnet