A 'Wait and See' Approach for GDPR Is Going to Be Pricey for U.S. Organizations Doing Business With the E.U.
The General Data Protection Regulation (GDPR) is the talk of the business town, at least over here in my native U.K. If you somehow managed to escape this, the abbreviation refers to the major new European Union legislation due to come into effect less than nine months from now.
From May 25, 2018, any organization that controls or processes personally identifiable information about EU citizens must have stringent organizational and technical measures in place (or "privacy by design," as it's been dubbed), to comply with the GDPR.
The new rules are outlined at the regulation website, but include requirements like mandatory breach notification and the right of data subjects to receive confirmation as to whether their personal data is being processed, and for what purpose.
Why should U.S. businesses care? In fact, those that have customers in Europe or even those looking to expand across the Pond should be deep into their planning and implementation phases to get ready for when the regulation becomes law next May. Yet, research by the analyst firm Gartner has already shown that over 50 percent of companies affected by the GDPR will not be in full compliance with its requirements by the end of the looming deadline.
This is despite the fact that 92 percent of U.S. companies affected by GDPR cited compliance with it -- in a PwC survey of US-based multinationals.-- as a top data-protection priority.
This is hardly a surprise, given that whenever a new unifying law or big piece of legislation like this is proposed, organizations tend to take a “wait and see” approach, to observe how rules are enforced, before they make critical decisions on how far to go with their response.
This stance may prove difficult with the GDPR, however, as fines may range as high as €20 million (almost U.S.$24 million) or 4 per cent of global annual turnover -- whichever is greater. My advice to companies, then, is not to be tempted to "wait and see" whether the GDPR rules are enforced, or enforced differently in some countries than others.
Indeed, with this unifying data law just around the corner, a passive approach is a poor plan of attack. Companies need to be ready from the start -- and here are three key reasons why.
1. Customer data must be safeguarded.
There is evidence that suggests that privacy sells. Over the last couple of years, the use of ad blocks has increased significantly globally. A recent report by analytics company PageFair showed that ad blocker usage surged 30 percent last year. There were 615 million devices blocking ads worldwide by the end of 2016, with the key reason for downloading software being security.
There is also a rising awareness from the consumer side on the abuse of personally identifiable information (PII). This is of great importance to consumers: Their data must be safe, so the onus is on organizations to do this going forward because, first and foremost, it’s the right thing to do and the ethical way to do business -- no matter the headache it causes at the start.
2. GDPR rules aren’t luxuries, they’re solid best practices.
The GDPR is the biggest shake-up to data privacy in a generation, but organizations must remember the overriding principle of these new regulations: to unify data laws across the European continent in order to shift the burden of proof from individuals to organizations. That means that the new rules act as best-practices guidelines for companies to follow. In fact, companies should already have the majority of these in place and now is the best time to start.
A “wait and see” approach makes sense only if the potential risks are outweighed by the efforts required to prevent them. GDPR may require coordination and effort in the beginning, but in most cases, it’s just enforcing best practices for data handling and management, so these are steps that companies should be taking as a matter of course.
3. GDPR will ultimately help you win more business in Europe
Where once citizens needed to show that they were the victims of data misuse or security breaches, organizations must now demonstrate they’ve taken the right pre-emptive actions to protect personal data appropriately. If your company takes the initiative from the start, this will boost your company’s customer base across Europe. Ultimately, proper GDPR compliance will lead to more business wins in the continent.
Beyond the final implications of the GDPR, which are great, the impact on reputation and brand loyalty can lead to greater financial impact in the long run.
With a new piece of legislation, coverage of the first breaches and fines is likely to be major for the companies involved. I urge companies to spend the time now securing their customer data, and not to run the risk of a headline-grabbing fine and the damage to their brand’s reputation by being a test case.
A good starting point is to work with partners that understand the complexities of the European market and regulations, who will help simplify the GDPR compliance process by enabling the security, portability and encryption efforts for your customer data.