With the May 25, 2018 date for companies’ compliance with the European Union’s (EU) landmark General Data Protection Regulation (GDPR) less than a month away, many US and other global businesses are spending $1 million or more on GDPR compliance plans, according to research from PwC.
“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation. The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for US companies that offer goods and services to EU citizens,” said Jay Cline, PwC’s US Privacy Leader.
According to respondents to PwC’s survey of thousands of businesses that operate in the EU, over three in four (77%) companies plan to allocate $1 million or more on GDPR compliance and readiness efforts - with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million to address GDPR obligations.
To be in compliance, companies are investing time and money in initiatives that include Privacy Shield and binding corporate rules, as well as model contracts for EU cross-border compliance. They are also centralizing data centers in Europe and de-identifying European data to reduce their GDPR risk exposure.
Here are five things to know about the GDPR:
- Businesses affected by the GDPR specifically include:
- All companies that do business in the EU
- Companies that process the data of EU residents with more than 250 employees
- Companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than occasional basis, and include certain types of sensitive personal data
- The type of identity information the GDPR requires businesses to protect includes:
- Name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Companies that need to meet GDPR compliance standards also are responsible for making certain that the data management companies they do business with comply as well. The EU considers vendors an extension of the companies they work with for the purpose of managing data breaches, so all company contracts with vendors of this type must be updated to reflect that systems and practices have been put in place, for GDPR compliance. As with individual businesses, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
- The GDPR specifies the roles that are responsible for ensuring compliance as the data controller, data processor, and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
- Businesses that are not within GDPR compliance face a potential 4% fine of global revenues, increasing the need to successfully navigate how to plan for and implement the necessary changes, according to PwC.
Company officials who make certain that they are in compliance with GDPR will not only rest easier with regard to potential EU scrutiny of their businesses but they will also have the peace of mind that comes with having made sure that their companies’ data is protected from any potential breach.