A regulation that threatens to cost businesses up to 4 percent of their annual turnover, or up to 20 million euros, is usually the type of thing that raises eyebrows in a big way and spawns immediate action.
But if your company does business in European Union countries, or merely has data concerning residents and subjects of the European Union, and you're not in compliance with the EU's General Data Protection Regulation (GDPR), you very well could be facing that huge penalty in a few months' time.
The GDPR rules were first proposed by the European Commission in January 2012 and went through various revisions and negotiations before a framework was finally agreed upon in December 2015 and then officially approved by the European Parliament on April 14, 2016. The rules take effect May 25, 2018.
The rules span some 99 articles and 88 pages, but are centered on the principle that every EU citizen "has the right to protection of personal data." GDPR includes aspects such as requiring affirmative consent before users give a tech service or website personal information, notifiying users about data breaches and mandating a data protection officer for firms that handle large amounts of personal data.
For the 28 countries that currently make up the EU, GDPR was an intuitive step that promises to streamline current data privacy rules and will lead to substantial cost savings.
However, the regulations replace EU directives from more than 20 years ago that all member states have implemented differently. So, companies based in North America who operate in one or two European countries who were in compliance with those countries' existing data rules must now comply with GDPR — even if it happens to be far more stringent.
For U.S. companies, GDPR compliance is definitely an important agenda item prior to the effective date of May 25 next year. A PwC survey of 200 U.S.-based multinationals from January stated that GDPR was the top data protection priority for 54 percent of those firms, and one of several priorities to a further 38 percent. Furthermore, 77 percent of survey respondents said that they planned to spend $1 million or more on GDPR compliance.
And yet, while those signs are promising for the security of EU data and beyond, well-known tech-research firm Gartner predicted in May that more than half of companies, regardless of country, wouldn't be in full compliance with GDPR not only by May 25, but by the end of 2018. If this is possibly your company in any way, it's time to quit waiting and accelerate those compliance plans.
"A 'wait and see' approach only makes sense if the potential risks are outweighed by the efforts required to prevent them. GDPR may require coordination and effort in the beginning, but in most cases, it's just enforcing best practice for data handling and management so these are steps that companies should be taking as a matter of course," said Patrick Lastennet, director of marketing and business development at Interxion, a nearly 20-year-old firm that operates 45 data centers across 13 cities on the European continent.
If we take Gartner at its word that 50 percent of companies still won't be in full compliance by New Year's Day 2019, that means your company has the opportunity to win valuable trust with potential customers — and regulators — by being in compliance by next May.
"Where once citizens needed to show they were the victims of data misuse or security breaches, organizations must now demonstrate they've taken the right, pre-emptive actions to protect personal data appropriately," Lastennet said. "If your company takes initiative from the start, this will boost your company's customer base across Europe."
Of course, the biggest story in years involving the EU has been Brexit, which will bring the number of member states down to 27 after the United Kingdom voted to leave the Union in June 2016.
If you're a North American small business who by chance only does business with the U.K., you may think that GDPR won't apply to you. However, the scheduled U.K. departure date of March 29, 2019, looks potentially cloudier by the day and falls after the GDPR effective date. Also, the U.K. government expects to codify standards similar to GDPR for data protection in Britain and Northern Ireland post-Brexit.
If your company has been hesitating on GDPR compliance measures, it's time to take action immediately. Not doing so could mean big penalties and the loss of customer trust.