GDPR is coming: How prepared is America?

The EU's GDPR comes into effect on May 25, but are American businesses prepared to comply?
11 April 2018

Giovanni Buttarelli, Assistant Supervisor, European Data Protection Supervisor (EDPS). Source: Flickr / Security & Defence Agenda

With the European Union’s General Data Protection Regulations (GDPR) coming into effect on May 25, companies across the world are assessing their business’ data practices and the implications of the GDPR on their business – but struggling to fully comply.

In today’s world, data is everything and companies don’t seem to be doing enough to protect it.

Although they collect as much of it as they can get their hands on and hope to analyze it to gain intelligent decision-making capabilities, they find it hard to police how sensitive client data is accessed and controlled.

Hence, something as strong as the GDPR is definitely warranted. It’s what the public hopes will help avoid the next Facebook – Cambridge Analytica scandal.

Although it currently applies only to data about EU citizens held anywhere in the world, people hope its provisions will be adopted as a set of best practices for data privacy and security by companies around the world.

“Through the GDPR, the EU has led the way in safeguarding fundamental rights in the digital age.

“It reinforces the rights of individuals, strengthens legal guarantees and will allow for better and more consistent enforcement of data protection rules through the new European Data Protection Board,” said Giovanni Buttarelli, the European Data Protection Supervisor in a recent blog post.

The new regulation was announced way back in 2016 and the European Data Protection Supervisor’s office has made quite a lot of effort to make sure that people understand the implications of the new law.

Moreover, the body has tried simplifying it for companies in other parts of the world – like the US and China – through blog posts, press notes, checklists and kits for companies, and events.

To ensure it became a top priority for businesses across the world, the penalty for non-compliance has been set at EUR20 million (US$28 million) or 4 percent of annual revenue, whichever is higher.

“As the supervisory authority of the 66 EU institutions, bodies, offices and agencies, we have been working hard over the past two years, together with all institutions and bodies, to make the transition to the new Regulation a success,” added Buttarelli.

However, despite all their efforts, not much of the world is prepared to comply with the GDPR.

A Reuters article earlier this year revealed that many US businesses are probably not even aware of the fact that the GDPR will have a significant impact on them.

“When it comes to GDPR preparedness, on a scale of zero to one hundred, there are quite a few, mostly smaller firms that are at zero, whereas most of the largest firms with international operations are somewhere between 90 and 95, and no one is at 100,” said Timothy Blank, Managing Partner of the Boston office of the law firm Dechert, LLP and head of its data privacy and cybersecurity practice areas told Reuters.

However, it’s not just America that is struggling to comply.

Closer to home, even small and mid-sized businesses in Europe are finding it hard to understand and plan for compliance with the GDPR.

Last week, IDC revealed that its survey found that only 29 percent of European small businesses and 41 percent of midsize businesses have taken steps to prepare for GDPR.