For American companies doing business in Europe, it’s time for a football analogy to make an essential point about the General Data Protection Regulation, or GDPR. It’s the fourth quarter with less than two minutes to go. Your team is faced with a fourth down on the 20-yard line and the score is close. Fans are on the edge of their seats. The time has come to go for it – to gain the necessary yardage, and through brute force, score a touchdown. The logic of punting the pigskin downfield has long past. For American companies doing business in Europe, it’s time for a football analogy to make an essential point about the General Data Protection Regulation, or GDPR. It’s the fourth quarter with less than two minutes to go. Your team is faced with a fourth down on the 20-yard line and the score is close. Fans are on the edge of their seats. The time has come to go for it – to gain the necessary yardage, and through brute force, score a touchdown. The logic of punting the pigskin downfield has long past.
For too many stateside businesses, punting on the fourth down in the fourth quarter when the score is close is what they’ve been doing as it relates to GDPR. The GDPR is a new European Union law set to replace the 1995 Data Protection Directive and is designed to enhance – and unify – data privacy laws across the 28-member states. Billed as the most significant upgrade to data privacy regulation in a generation, the GDPR measure was approved by the EU parliament in April 2016 with an enforcement date slated for May 25, 2018, roughly seven months from today. Failure to meet the law’s regulations will result in significant fines.
Across the pond; however, in the good old US of A, business leaders with connections to Europe, have seemingly taken a laissez-faire approach to the whole affair. According to research analyst firm Gartner, more than half of US companies affected by GDPR will not be in full compliance by May 25. This is despite a recent PwC finding that overwhelmingly, 92 percent of survey respondents, felt compliance with the new regulations was of paramount concern. Many companies endorse a “wait-and-see” approach.
Making GDPR Make Sense
While such tactics might work as it relates to new data security guidelines about to go into effect for financial services companies in New York, as we wrote about in an earlier blog, there is much less uncertainty as it relates to which organizations are impacted and the types of fines that will be leveled for non-compliance. Unlike New York’s pending law, the EU’s GDPR has plenty of teeth to enforce its edicts. Companies that fail to comply could face a $23 million fine.
To a large extent, New York’s data security regulations have been modeled after Europe. Some of the critical aspects of GDPR include:
- Consent of usage – Customers must consent to the fact that a given company is using their personally identifiable information. Customers must also consent to how that data is being used. Again, these guidelines are now universal across the EU and non-EU entities that do business in the EU.
- Breach notification – As with New York, companies must report a data breach within 72 hours of the breach becoming known to the company experiencing it. This wording gives important flexibility as not all companies know the exact minute they’ve been hacked.
- Right to access – Customers have a right to access their personal data and to receive that information in a clear electronic format.
- Right to be forgotten – Also known as the right to data erasure, customers have the right to demand that their personal data be deleted from companies – especially if that information is no longer relevant to continued business. Importantly, this stipulation includes third party usage.
- Data protection officers – Companies will be required to hire qualified data protection officers for internal record keeping and management.
“Wait-and-See” is Fundamentally Flawed
For a variety of reasons wait-and-see is a weak fourth quarter play. Not just because of the steep penalty noted above, but for several others. For starters, it’s in a company’s best interest to safeguard customer data. Doing so promotes sound business practices and encourages repeat sales. There’s also money to be made in promoting your brand as one that cares about protecting customers’ identifiable information. Second, complying with a set of laws unifies a broad swath of business interactions, improves efficiency, cuts down bureaucratic waste, and builds consumer confidence.
This football season, as NFL superstars take to the gridiron, let the team at Kelly Communications Systems help your company fortify its defensive strategy. Over the last 30 years, we have been a recognized consultant of IT centered products, security, and support services to Fortune 1000 and large enterprises in the New York metropolitan area. Sit down with us to: a) determine if you need to comply with the new EU law and b) get you up to speed with the right tools and technology to best protect your company and your customers.
In the last 20 years, there’s been a staggering increase in the amount of personal info posted online. Likewise, there’s been a corresponding uptick in the frequency of disruptive (and costly) data breaches. Don’t let data hacks penetrate your brand’s corporate end zone this season – or any others that follow. Score big and sack data hackers today!
Want more information on GDPR and how Kelly Communications Systems is helping US companies with EU compliance?