U.S. Businesses Struggling To Grasp Demands Of GDPR



Dan Gunderman
11/16/2017

To comply or not to comply? That is the – timely and fateful – question.

The European Union’s (EU) comprehensive data security measure, the General Data Protection Regulation, will be rolled out in May 2018, meaning it is right around the corner for enterprises operating within the EU and businesses that cross borders and handle European data.

The effort – which is poised to afford individuals more power with their privacy – lays out fines for failure to comply. It could amount to 4% of annual revenue or €20 million ($23 million). Despite these exorbitant figures, it seems GDPR isn’t ringing as clear as it should for some companies, especially those settled in the U.S.

It appears some organizations with cloud infrastructure, for example, are ill-equipped to handle the imminent change. According to Computer Weekly, only 22% of U.S. organizations are concerned about GDPR and have a thorough plan in place. These figures stem from a poll of 323 VMWorld 2017 attendees, conducted by cloud security firm HyTrust.

Respondents came from a variety of backgrounds, including government/military, financial/insurance, healthcare/biotech, manufacturing, etc. Fifty-one percent of them said their organization is not concerned with GDPR or it is not aware of its relevance. Meanwhile, 27% of respondents said they are concerned about the impending regulation but have no discernible plan prepared.

According to Gartner, 50% of businesses affected by the regulation will not be fully compliant come deadline day, May 25, 2018.

See Related: CISOs: Is Cyber Insurance On Your Radar?

EU Money

Enterprises could and should be determining: which data streams relate to European citizens, whether additional resources are needed to protect this data and how much should be budgeted for this evaluation.

Getting enterprises up to snuff is no easy task, though, and it is only complicated by further regulatory issues. David Zeetony, head of consumer protection at the law firm Bryan Cave, told the Financial Times that “full compliance is more myth than reality.”

“The real question is what level of compliance you want to achieve,” he said.

Now, enter the GDPR, with its wide scope and global impact. The regulation’s immediacy and financial implications have some SMBs at a standstill – those who may not have the most robust data protection measures in place. It also has enterprises of all sizes paying close attention, if only to try and navigate the tough regulatory road ahead.

Zeetony told the FT that compliance becomes like any business decision: one must weigh each side of the issue. He said that some organizations, in delving too far into regulation, can become “compliance companies” and lose sight of the business goals.

See Related: Microsoft President Requests 'Geneva Convention' For Cyber Warfare

Another wedge driven into the GDPR topic is the Privacy Shield, a hastily approved system that allows 2,400 U.S. companies (e.g., Microsoft and Google) safe passage for commercial data. They still must adhere to EU data protection standards, but they won’t breach EU laws on personal privacy. The EU-U.S. system is a replacement of the International Safe Harbor Privacy Principles, which were struck down by the EU Court of Justice in October 2015.

The Shield has been legally challenged by France and Ireland. What’s more, some concern has been leveled against the U.S. for its possible data procurement methods. Since Donald Trump’s administration has yet to appoint an ombudsman to hear data complaints from EU citizens, some of those abroad believe the country’s future actions in this respect will be self-serving.

The GDPR is cause for alarm for some U.S. enterprises because of the different regulatory environments of Europe and the U.S. Despite its attempt to enforce different privacy laws, state laws and obligations set forth by the Federal Trade Commission (FTC), the U.S. does not have an all-encompassing model for data protection. This creates a distinctly different regulatory ecosystem.

Recently, other world powers have passed cyber security laws. This includes China and Russia, whose individual laws require personally identifiable information (PII) to remain on the nation’s own servers (although some believe they were created to allow more internal snooping).

At last, the question becomes: Do international companies cherry pick which areas they will conduct business, based on the GDPR? Or, do they storm ahead with compliance initiatives just in time for next spring? Steep fines linger on the horizon.