On May 25, 2018 Europe’s General Data Protection Regulations (GDPR) went into effect. After a year of unprecedented data breaches and hacking scandals (Facebook, anyone?) the leap up to GDPR had any and every organization that processes information belonging to European Union residents scrambling to update their processes, procedures, and privacy policies. And no, you didn’t imagine it - there was a week or so toward mid-May where you were absolutely inundated with emails from every company you’ve ever heard of asking you to opt-in to their newsletters or telling you they’ve changed their terms and conditions. It was a lot, and for good reason.
With that flurry of activity in your inbox, you probably assumed that the regulations had some immediate impact on US businesses as well, but you would only be half right. As we mentioned, the GDPR impacts businesses that process the information of EU residents in an effort to create greater data privacy protection. It only applies to data relating to EU citizens, not businesses (B2B) or US citizens.. However, the White House is now considering enacting similar regulations within the US which could make huge waves for businesses of all sizes.
What will these waves entail, you ask? It’s hard to say for certain until anything is proposed or passed, but based on the GDPR guidelines, here’s what could be in store for US businesses:
Additional Data Security Procedures
Of course, one of the most obvious aspects of far-reaching data protection regulations is that businesses may need to seriously upgrade their existing network infrastructure and security protocols to make sure they’re in compliance with the new regulations. GDPR puts the consumer’s privacy rights well above the rights of the business. The onus is completely on the organization to properly encrypt and anonymize the data, as well as ensure that it’s stored securely and backed up properly with limited access to anyone except those who truly need access to the data. There’s also requirements in GDPR for the consumer to be able to control their information independently, which means that if the US follows similar guidelines, organizations could be required to implement software that allows their consumers to log into their accounts and profiles - even if that’s not something in place at the present time.
Additional Personnel
Maintaining compliance with the GDPR guidelines is a big undertaking with serious repercussions. So big and so serious, in fact, that organizations have hired personnel whose sole responsibility is to continuously monitor data and ensure that all processes and procedures are in place to ensure compliance. If the US adopts guidelines that are similarly broad-reaching, this could mean organizations may have to hire new staff positions, or outsource responsibilities. On the one hand, it would create jobs, while on the other it could put a burden on businesses that may be stretched thin financially as they implement new technology, processes, and procedures.
Hefty Fines
One of the biggest impacts of GDPR for organizations as it stands is the potential for fines and penalties for non-compliance. Currently, penalties for first-time non-compliance can be greater than 10 million euros or up to 2% of the annual global turnover from the year prior. If the US follows suit, penalties like this could potentially cripple businesses found to be noncompliant.
Does your organization want to ensure it is carrying out data usage and security policies responsibly? Drop us a line via this form to schedule a free assessment.