Most US companies are investing at least $1 million in becoming compliant with the European Union’s (EU) General Data Protection Regulation (GDPR), according to research from PwC. The deadline for GDPR compliance is May 25, 2018, meaning all companies who do business in the EU must take substantial steps to protect the data of EU residents quickly.
According to PwC survey respondents, over three in four (77%) companies plan to allocate $1 million or more on GDPR compliance and readiness efforts – with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million to address GDPR obligations.
These resources are being spent on such initiatives as Privacy Shield and binding corporate rules, as well as model contracts for EU cross-border compliance. Companies also are centralizing data centers in Europe and de-identifying European data to reduce their GDPR risk exposure.
Companies must follow GDPR compliance rules that do business in the EU, process the data of EU residents, and have more than 250 employees. To be compliant, they must show that they are taking substantive measures to protect the personal data and privacy of EU citizens for transactions that occur within the EU’s 28 member states.
The GDPR also regulates the exportation of personal data outside the EU and impacts companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than occasional basis and include certain types of sensitive personal data.
The type of basic identity information companies must now protect includes name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health and genetic data; biometric data; racial or ethnic data; political opinions; and sexual orientation.
Companies affected by the GDPR are also responsible for making sure that their data vendors are compliant, as the EU sees their operations as inter-related. This means that companies need to update all vendor data contracts to reflect that they are committing to the processes and systems required for GDPR compliance. As with the policies of individual businesses, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
The GDPR specifies the roles that are responsible for ensuring compliance as the data controller, data processor, and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
To make certain that the company is within GDPR compliance, this team of professionals needs to know all information relating to how the company’s data is being gathered, stored and protected. Then, they can agree on a compliant process for reporting, articulate that in a new policy for the company, and include it in new contracts with vendors.
“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR), going into effect in April 2018. The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for US companies that offer goods and services to EU citizens,” said Jay Cline, PwC’s US Privacy Leader. “Businesses that do not comply with GDPR face a potential 4% fine of global revenues, increasing the need to successfully navigate how to plan for and implement the necessary changes.”
