A huge European security regulation that affects many U.S. companies takes effect this week
(This post originally appeared on The Washington Post)
The European Union’s General Data Protection Regulation, or GDPR, goes into effect on May 25. Is your company ready?
The objective of the regulation, which passed in 2016, is to simplify and consolidate rules that companies need to follow to protect their data and to return control to E.U. citizens and residents over their personal information.
Individuals in the E.U. will have the right to access or request that companies erase or migrate their data elsewhere. When asked, companies must prove to authorities that they have satisfactory policies and procedures in place to protect their data, or they will face huge fines. How huge? If your company is not compliant, the fines could be as large as 20 million euros (about $24 million) or 4 percent of your annual global revenue, whichever is higher.
The GDPR doesn’t apply only to big companies. Small businesses, nonprofit groups, research firms and solo entrepreneurs — wherever they are located — are also subject to these rules. All that needs to be proved is that the company sells or collects data from E.U. individuals.
The law is also confusing to many, so much so that some lawyers say it may even apply to U.S. citizens visiting Europe.
“A U.S. tourist who visits Germany for one day and returns to the U.S. has rights under the law if that person used [a service like] Facebook while on the trip,” Alex Stern, an attorney, wrote on his firm’s blog. “Organizations may still be wildly underestimating the scope of the GDPR.”
Underestimating the scope is definitely a problem. According to a report issued last month by technology publisher CompTIA, only 52 percent of the 400 U.S. companies it surveyed said they’re either exploring the applicability of GDPR to their businesses, have determined it doesn’t affect them or are unsure. Of the firms that say they would be affected, only 13 percent thought they would be compliant — 35 percent said they aren’t there yet.
“Companies subject to the regulations are running a huge financial risk by failing to put a GDPR plan in place,” Todd Thibodeaux, CompTIA president and CEO said in a news release.