New European security rules affect many U.S. firms
The European Union’s General Data Protection Regulation, or GDPR, goes into effect on May 25. Is your company ready?
The objective of the regulation, which passed in 2016, is to simplify and consolidate rules that companies need to follow in order to protect their data and to return control to EU citizens and residents over their personal information.
Individuals in the EU will have the right to access or request that companies erase or migrate their data elsewhere. When asked, companies must prove to authorities that they have satisfactory policies and procedures in place to protect their data, or they will face huge fines. How huge? If your company’s not compliant, the fines could be as large as $24 million or four percent of your annual global revenue, whichever is higher.
The GDPR doesn’t apply to only big companies. Small businesses, nonprofits, research firms and solopreneurs — wherever they’re located —are also subject to these rules. All that needs to be proven is that the company sells or collects data from EU individuals.
The law is also confusing to many, so much so that some lawyers say it may even apply to U.S. citizens visiting Europe.
“A U.S. tourist who visits Germany for one day and returns to the U.S. has rights under the law if that person used (a service like) Facebook while on the trip,” Alex Stern, an attorney wrote on his firm’s blog. “Organizations may still be wildly underestimating the scope of the GDPR.”
Underestimating the scope is definitely a problem. According to a report issued last month by technology publisher CompTIA, only 52 percent of the 400 U.S. companies it surveyed said they’re either exploring the applicability of GDPR to their businesses, have determined it doesn’t affect them or are unsure. Of the 48 percent of firms that say they would be affected, only 13 percent thought they would be compliant — 35 percent said they aren’t there yet.
“Companies subject to the regulations are running a huge financial risk by failing to put a GDPR plan in place,” Todd Thibodeaux, CompTIA president and CEO said in a news release.