Are US Companies Ready for GDPR Compliance by May 2018?

Many European based companies have started to think about how they will be in compliance with the EU's General Data Protection Regulation (GDPR) by May 218. But many have not started, and a lot are not even aware of GDPR. How are US-based companies approaching this EU-directed regulation ?

A Quick Briefing on GDPR

Here's a decent short video explanation on what GDPR is and what companies will be subject under the regulation. In a nutshell, companies are going to need to deal with the following:

1. Information / Cyber Security: what are you doing to keep your data safe and being able to avoid various forms of cyber attacks or leaks.

2. Understand the relationship between their systems, supplier, customer data and the internal and external business processes and operations that affect the data.

3. Personal data management: controls and compliance around consent, privacy by design, rights to be forgotten, right to access and data portability.

4. Breach Management: what processes and controls are in place to a) ensure breaches of data do not happen, b) any breach that occurs is handled expediently and with care.

   
   

The financial and reputational damage could be very severe indeed and they have until the May 2018 deadline to get ready. The fine could be anywhere up to EUR20mm or 4% global turnover, whichever is the greatest!!!

Does Your Company have operations, suppliers or customers in the EU ?

What many companies are just starting to realize is that this is not just for EU-based companies. It also affects US companies with customers and operations in the EU. And that includes any suppliers that are executing business processes on behalf of the company.

Furthermore, if a company is processing or holding data relating to European citizens anywhere in the world GDPR also applies and the penalties relate to group revenue. That is a very hefty impact on a LOT of US companies!

This article from Information Age reports on a PwC survey of US Companies, which pretty much states that US companies have only just started to wake up to the fact that they need to be doing something now.

Compliance and Readiness

In order to get a handle on readiness and compliance, many companies are hiring outside help (in the form of consulting firms) who can help perform readiness assessments, and provide strategic advise around business processes and best practices.

But what are the key things that will make a difference ?

According to this article, there needs to be a unified approach to compliance, which makes a lot of sense.

But at a pragmatic level it really is about knowing the provenance of your data, how and where your data is stored and processed, and knowing what governance, controls and systems you have that can keep your data safe (or get you into trouble).

At IDE-International, we have been helping companies work through these large GDPR programs. We are not specialists in cyber security and other data protection techniques and that is a whole domain for many experts, tools and vendors.

Instead, what we are doing is to help customers get a view on where they are at with enterprise-wide compliance. This is comprised of four parts:

1. Understanding assets, systems, data, key business processes, suppliers and contracts.

2. Modeling the GDPR regulations (and the 99 articles) under a regulatory framework model

3. Being able to build surveys, assessments and questionaires that can be executed by the relevant stakeholders on an ad-hoc (initial) and ongoing (scheduled) basis. This provides the view of what is compliant and what is not.

4. Having a way to create key operational runbooks to facilitate Breach Management procedures should there be a customer or similar data breach.

What Do You Think ?

Please let us know what you think about GDPR and how EU and US companies are faring with getting ready for GDPR by May 2018.