On May 25th, the European Union (EU) began enforcing the General Data Protection Regulation (GDPR), creating a new primary law that regulates the way in which companies protect EU citizens’ personal and private data. In doing so, the EU regained a better stronghold on the control of citizens’ data as well as offered assurances that the citizens’ information is being protected securely. These laws may seem irrelevant to U.S. companies given the distance between American and Europe. How could regulations in the EU impact organizations running in the United States? Why would American-based companies spend the time and money to ensure they are meeting these regulations? Well, online presence in today’s globalized society means that U.S. companies should have prepared and continue to account for the GDPR.
The reality is that any U.S. company with online presence could potentially be impacted by the EU’s GDPR. In fact, a recent survey from PwC discovered that over 60 percent of all organizations planned to spend in excess of $1 million in order to ensure that they are meeting these regulations. The standardization of online privacy protections means establishing measures to ensure that there is a fair level of data protection for a widespread of information. The term used for this information is personally identifiable information (PII), which covers things like social security numbers, political affiliations, IP addresses, sexual orientation, and much more. If they so choose, EU citizens can request “the right to be forgotten” at any time and therefore their personal data must be deleted.
While protecting the citizens’ private data is an essential first step, the next portion of the GDPR is even more critical. If a breach of data does occur, the company has 72 hours to inform the authorities in addition to informing the person whose information has been exposed. In fact, the company is liable even in breaches where a third-party company is involved. Finally, all companies in the EU are now required to designate an in-house data protection officer (DPO) to manage and supervise the company’s compliance effort. Not only are these regulations strict and pervasive, failing to comply results in costly penalties. Firms can anticipate spending up to about $25 million or as much as 4 percent of their company’s annual revenue for failure to comply with the GDPR.
With many question marks and a number of potential issues regarding the details, the GDPR is most certainly a developing regulation. For instance, what happens when industry regulations prevent the deletion of certain pieces of information? Which regulation would take precedence? While we have yet to obtain all of the information, it is clear that cybersecurity is becoming more important than ever before. First and foremost, it is imperative for companies to fully understand what data they are storing, how they oversee that data, and where the data is utilized and handled throughout their organization. In addition, creating a new level of compliance for data protection should be a priority. Are you aware of how your company handles and uses private data? Does your company have an action plan in the event of a breach? Are you able to delete data if a request comes in?
Answers to these questions should be at the foundation of your compliance plan. The GDPR is not going away, so having a defense strategy is important for U.S. companies of all kinds. To safeguard your organization, remain at the forefront of cybersecurity advancements and dedicate resources to building a strong cybersecurity team.