3 GDPR Developments U.S. Businesses Should Heed

Patrick Lastennet

By Patrick Lastennet, Director of Marketing & Business Development, Interxion

The countdown to the General Data Protection Regulation (GDPR) has left global businesses uncertain about what the future holds. With just eight months to go, the latest figures show that, quite worryingly, 37 percent of global organizations are unsure whether they need to comply with the GDPR. Short answer: Any company that stores or processes personal information about EU citizens must demonstrate compliance. Penalties for noncompliance are steep, and the window for reporting a breach is just 72 hours.

As time runs out to prepare for the May 25, 2018, launch date, the lack of clarity and communication around GDPR among businesses is becoming more evident. The aforementioned report also shows that 44 percent of global businesses don’t know how close their organizations are to compliance. Recent research by analyst firm Gartner already revealed that over half of companies affected by the GDPR will not be in full compliance with its requirements by the end of the looming deadline.

Over the summer period, three key news announcements emerged in an attempt to make sense of what the GDPR will entail for global businesses. If you, or your customers, is just starting to pay attention, here’s a summary of news you may have missed, but should be aware of.

A new bill in the U.K. confirmed that Brexit doesn’t mean businesses can get away with GDPR non-compliance come May 2018. The United Kingdom has been one of the more active European countries in relation to GDPR enforcement, as it released plans for a new UK Data Protection Bill as a first step in bringing the GDPR into U.K. law. The legislation will also be maintained after Brexit and will go into effect on May 25, 2018, confirming that businesses can’t assume that Brexit will get them out of complying. For U.S. businesses, the major difference is the need to correctly handle movement of data between countries and also customers’ “right to be forgotten,” which means companies need to consider how they coordinate centrally as well as storing locally.

The U.K. information commissioner called for “less scaremongering” about hefty fines post-GDPR. In the first of a series of blogs on GDPR meant to “dispel myths,” commissioner Elizabeth Denham states: “it is scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

My advice to U.S. businesses is, don’t be tempted to “wait and see” whether the rules are strictly enforced, or enforced differently in some countries than others. Customer data must be safeguarded now, and the GDPR rules aren’t luxuries — they’re solid best practices that every company should be following. Spend the time now securing your and your clients’ end-customer data, and don’t run the risk of …

… a headline-grabbing fine and the just-as-costly brand reputation damage .

High profile GDPR-style fines of U.S. companies and breaches have started to appear. In the wake of Facebook’s €1.2 million fine by Spanish data watchdogs – and despite the Denham’s charges of scaremongering around big fines – U.S. businesses with customers in Europe got a taste of what the GDPR is likely to bring come May 2018. Expect to see more high-profile cases next year, to prove a point that the GDPR is to be taken seriously by organizations.

These three recent updates show that, while global companies are playing catch-up to prepare themselves for compliance, the GDPR is well and truly on its way — and it’s approaching fast. My advice is to look at this as an opportunity to eventually win more business in Europe. U.S. companies launching into the EU are in the position to approach their infrastructure plans with a “clean sheet,” but they need the right information, support and tools to reach compliance in this sophisticated market.

Patrick Lastennet is director of marketing and business development at Interxion. Patrick has an extensive background in managing large-scale IT transformation projects and market data integrations, particularly within the EU, and is an expert on all facets of GDPR, including security, encryption, privacy and fines.