You probably know that businesses regularly collect and use consumers' personally identifiable information (PII), but do you know which companies have information about you, what information they have, and how precisely they collect and use it? More importantly, do you believe you have the right to deny or restrict what businesses do with your personal information?
The 1998 Data Protection Act
These and similar questions have concerned lawmakers in the European Union for decades. The United Kingdom first seriously addressed the issue with the passage of the Data Protection Act in 1998. That legislation provided limited protections against potential exploitation of user data. With the recognition of a wide range of new security threats in the intervening two decades, however, the European Union more recently decided to take more sweeping action. The result of these efforts was the passage of the General Data Protection Regulation (GDPR).
What Is the General Data Protection Regulation?
EU member states wrangled with the issues of data protection and security for approximately four years before passing the General Data Protection Regulation (GDPR). In addition to other changes from the Data Protection Act, GDPR imposes more substantial fines for noncompliance. It additionally attempts to empower consumers across the EU, giving them increased control over the uses of information about them personally.
How Will Noncompliant Businesses Be Penalized?
Regulators have the power to impose significant fines for companies they deem are not in compliance with GDPR. The amount of the fine depends on which GDPR provisions are violated. For companies judged to violate "technical" GDPR provisions, fines are either €10 million or 2 percent of total annual revenues, whichever amount is greater (Imperva). Violations of "key" provisions are more serious, as are the associated penalties: €20 million or 4 percent of annual revenues.
Violations of "key" provisions are more serious, as are the associated penalties: €20 million or 4 percent of annual revenues.
What Does GDPR Mean for U.S. Businesses?
Many US businesses incorrectly assume that because GDPR is EU legislation, its compliance regulations and associated fines don't apply to them. In fact, Article 3 of the GDPR clearly states that American companies that do business with any of the 28 EU members states -- or that use the internet to market their products in those countries -- are subject to the same rules and penalties as EU businesses. In other words, American businesses that do business with the EU must follow the same data collection rules as European countries or face associated penalties.
Most Businesses Are Unprepared
The GDPR became law in 2016, but that law provided a two-year window, until May 25, 2018, for affected businesses to demonstrate compliance.
With the deadline looming, only 43 percent of businesses have taken the actions necessary to achieve compliance, including effectively assessing what GDPR means for their companies (this based on analysis from ITPRO).
How Should Businesses Prepare for GDPR?
Simply stated, US businesses need to take GDPR seriously. That means taking several proactive steps now (or certainly prior to the upcoming deadline), if they haven't already done so. These include (but are not necessarily limited to) the following:
- Conduct a risk assessment to identify any data on EU citizens they store or process.
- Appoint a data protection officer (DPO), charged with ensuring data protection.
- Create a data protection plan (one that includes mobile data).
- Create a plan to report progress on compliance.
- Establish a plan for testing and ongoing progresses.
Achieving Compliance Won't Be Cheap
According to PwC, 68 percent of US businesses will spend $1 million to $10 million to achieve GDPR compliance; 9 percent expect to spend more than $10 million. Considering the impact of potential fines on those companies' bottom lines, however, those expenditures represent a sound and strategic investment in the future.