Even though all companies doing business with residents of the European Union (EU) will need to comply with its General Data Protection Regulation (GDPR) by May 25, 2018, most will miss that deadline, according to a recent survey of corporate tech decision makers conducted by Crowd Research Partners.
The survey also found that only 7% of companies it surveyed report being in compliance with the regulation that requires substantial protection for the personal data of EU residents and thorough notification to them if that data is breached. And 28% have not even begun the work to be GDPR compliant by the deadline, the research found.
The high cost of GDPR compliance is likely one reason for corporate inaction. According to respondents to PwC’s survey of thousands of businesses that operate in the EU more than 77% of companies plan to allocate $1 million or more on GDPR compliance and compliance efforts – with 68% saying they will invest between $1 million and $10 million and 9% expecting, to spend over $10 million to address GDPR obligations.
However, ignoring GDPR compliance can bring stiff fines from EU officials: Penalties can run as high as 4% of an enterprise’s worldwide financial revenue. Those working to be compliant are investing resources in initiatives that include Privacy Shield and binding corporate rules, as well as model contracts for EU cross-border compliance. They are also centralizing data centers in Europe and de-identifying European data to reduce their GDPR risk exposure.
Businesses affected by the GDPR specifically include all companies that do business in the EU; companies that process the data of EU residents with more than 250 employees; and companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than occasional basis and include certain types of sensitive personal data, in other words, any company that does business with an EU resident in any shape or form.
The type of identity information the GDPR requires businesses to protect includes name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health and genetic data; biometric data; racial or ethnic data; political opinions; and sexual orientation.
GDPR compliance also specifies the roles that are responsible for ensuring compliance as the data controller, data processor, and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
In addition, companies need to make certain that their data management vendors are compliant. The EU considers vendors an extension of the companies they work with for the purpose of gathering, storing and protecting their data and managing data breaches. This means that all company contracts with vendors must be updated to reflect that systems and practices have been put in place to comply with the GDPR. As with individual businesses’ contracts, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
“Organizations should not see [GDPR compliance] as just a regulatory compliance program,” said Peter Gooch, cyber risk services partner at Deloitte. “Having the right privacy requirements embedded into an overall customer engagement strategy can also be a competitive advantage. All businesses rely on consumer loyalty. A breach can put the company’s existence at risk.”