GDPR Is Coming: Why U.S. Companies Must Start Planning for GDPR Now
We have less than a year before the EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.
Even though GDPR originated within the EU, it applies to any organization that collects or processes the personal data of EU citizens or residents. It also doesn’t matter if the data is from a customer or an employee. Simply put, if your business has a global reach, you will likely need to comply or be subject to penalties if there is a data breach and you are found to be out of compliance.
Most U.S. companies who are doing business on a global scale have already taken notice of GDPR and plan to allocate a nice sized budget for compliance activity. Earlier this year, PricewaterhouseCoopers surveyed hundreds of U.S. companies about their GDPR Preparedness plan. I think the results of that survey were unexpected, but very telling.
They found that 92 percent of U.S. multinational companies cited compliance with GDPR as a top data protection priority in 2017. Also, 68 percent are earmarking a budget of between $1M and $10M for GDPR readiness and compliance efforts, with nine percent expecting to spend over $10M. Those numbers are staggering and prove how important of a topic GDPR will be – not just over the next 12 months, but as a long-term compliance initiative.
The whole idea of protecting private information isn’t new. In the United States, we should all be familiar with data protection rules such as Health Insurance Portability and Accountability Act (HIPAA) that was introduced back in 1996. This is a great example of a regulation that resulted from the need for more privacy around personal data. The U.S. government has also put tougher requirements on government organizations around cybersecurity.
Earlier this year, the U.S. president signed an executive order to strengthen cybersecurity of federal networks and critical infrastructure. I don’t believe the U.S. will come up with a version of GDPR tomorrow or even within the next year, but it is likely in the future with the increasing number of cyber-attacks, and with organizations finding it harder and harder to protect their data.
U.S. Companies Can't Wait Any Longer
Now is the time to start developing and implementing your compliance strategy. You may or may not already have an allocated budget, but that shouldn’t keep you from kicking off a project around evaluating existing data protection policies. For any company who must comply with GDPR, here are biggest reasons why you need to start your compliance planning right away:
- The requirements are comprehensive – If you read my Navigating the Seven Key Principles of GDPR blog article, then you know GDPR has introduced a lot of new requirements. Organizations are now required to have new or updated processes and policies in place that cover how you collect, manage, store, update, and secure personal data. There is an exhaustive list of processes and policies that must be evaluated. Just a few examples are initial processing, storage, and access provisioning. Think about how much effort it will take for a complete review of your onboarding and offboarding processes. To add salt to the wound, there is much more to GDPR than just documentation, you must have the ability to enforce those policies, then demonstrate compliance in case of an audit or breach. Because GDPR is so comprehensive, don’t underestimate the amount of time you need to address all the requirements.
- You have months, not years – With the deadline on May 25, 2018, you can’t waste any more time before you launch a project around GDPR compliance. It takes time to get the right processes, policies and technology in place – especially in organizations who are not used to change or fight the idea of doing things differently. Introducing new technology alone can be time consuming. Not only do you have to decide where your technology gaps are, but it takes time to evaluate various solutions, go through the purchase cycle, then the real work starts to get it fully deployed. It is my understanding that that the GDPR governing authorities don’t plan to audit every company on day one, but what if you experience a breach like the recent WannaCry ransomware attacks once GDPR has taken effect? You must do all you can over the next several months to get compliant by the deadline and that means starting now.
- Steep penalties await the non-compliant – GDPR compliance is not just a suggestion, it outlines real consequences for non-compliance. To help you understand, let me explain a little history of GDPR. The European Commission recognized that data protection and privacy was an issue back in 1995 and put some directives in place. In 2012 they passed a reform, but it still remained only a directive. Those previous directives were not anywhere near today’s version of GDPR and certainly didn’t have the hefty penalties in place if someone was found out of compliance after a breach. The cost of not complying with GDPR can be 10-20 million euros, or up to two to four percent of a company’s total worldwide annual revenues of the preceding fiscal year. Nobody will want to be the first to be found non-compliant because that will certainly cost a lot of money, besides making headlines.
Take the Next Step on Your GDPR Journey
With the sophistication of cybercrime and the amount of breaches we are hearing about today, GDPR really is the perfect storm for U.S. companies. However, there is some good news. There is help out there so you don’t have to do everything manually or alone.
Companies like Ivanti help you implement your General Data Protection Regulation (GDPR) strategy with solutions to assess risk, enforce policies, secure data, respond to incidents and requests, and prove compliance. Ivanti helps unify IT and security operations, enabling the measurement of risk across the organization to assist in implementing a comprehensive GDPR compliance plan. Technology alone won’t make you compliant, but you can make a concerted effort to get the right technology solutions in place to help mitigate your risk.