With the May 25, 2018, enforcement deadline approaching, many businesses are wondering how the General Data Protection Regulation (GDPR) will affect them. Briefly, the GDPR is a joint effort from the Council of the European Union (EU), the European Commission, and the European Parliament to better protect citizens’ personal data, give them greater control over how companies handle and use their personal data, and make it easier for companies to comply with this single personal data oversight regulation. To learn more about the basic tenets of GDPR, see our earlier post, What is GDPR? And is Compliance Required?
Costly GDPR Unawareness
The widespread confusion and lack of awareness about GDPR compliance among European business leaders is even greater among company leaders outside of Europe. According to NTT Security’s 2017 Risk: Value report, less than 40% of respondents from the United Kingdom acknowledge that GDPR is a compliance consideration, with 20% unaware of whether they will be affected by GDPR. And in the United States, Australia, and Hong Kong, only about a quarter of those surveyed thought they were subject to GDPR. These statistics reveal that many companies’ are potentially blind to GDPR compliance. However, as with any legal matter, ignorance of the law is no defense and the penalties are steep for noncompliance. Fines can reach €20 million (approximately $24.7 million USD) or 4% of global annual turnover, whichever is greater.
The Reach of GDPR
Many U.S. company leaders erroneously believe if they don’t engage in direct business with any of the EU states, they don’t have to worry about GDPR. However, this simply isn’t true. If a company collects, handles, or in any way touches personally identifiable information (PII) about any EU citizen; for example, through a website survey or directed marketing campaign, it is subject to GDPR and its hefty fines. Forbes sums that “any U.S. company that has identified a market in an EU country and has localized web content should review their web operations,” especially U.S.-based travel, software services, hospitality, and e-Commerce businesses. And these aren’t the only cases where GDPR applies.
Getting a Grasp on GDPR
As polls and survey results reveal, organizations around the globe aren’t prepared for—or perhaps even aware of—GDPR. With the possibility of penalties that could lead to bankruptcy, and the potential to cause irreparable harm to a companies reputation, executives are urged to pay close attention. As with any compliance measure, the best defense is a good offense. For instance, making a relatively conservative investment in security audit and compliance will pay in spades when compared to the potential cost of a GDPR violation.