Privacy protections: Compliance
RSM US MMBI Cybersecurity Special Report 2018
As data breaches become more frequent, and threats become more severe, several regulatory bodies are establishing new privacy guidelines to protect sensitive consumer data. One recent example is the European Union’s (EU) General Data Protection Regulation (GDPR), which was adopted in April 2016 with enforcement slated to begin on May 25, 2018.
EU privacy regulations are considered to be some of the toughest in the world, and GDPR is no different. All organizations that hold, transmit or process EU resident data must comply with GDPR guidelines, regardless of whether they actually have operations in the EU. Therefore, many U.S.-based middle market companies that possess EU-resident data may not understand that they are subject to GDPR requirements.
Of the executives in RSM’s Middle Market Leadership Council representing U.S.-based companies, the 2018 first quarter survey found that only 20 percent of these middle market organizations indicated that GDPR is relevant to their companies. Furthermore, larger midsize businesses (29 percent) are significantly more likely to claim GDPR relevance than smaller organizations (14 percent).
In addition, in companies where GDPR is seen as relevant, executives are divided on the degree of effort required for compliance. RSM found that 45 percent of middle market executives consider GDPR compliance a major effort, while 44 percent believe it is a minor effort.
Many organizations underestimate how much EU data they hold, and therefore may not understand the legislation’s potential effect. With recent technology advances in digital communication, consumer data can be collected in many ways, including website forms, email systems, social media, mobile platforms and many other business applications. In addition, the GDPR definition of “private data” is much broader than U.S. regulations, including information such as geo-location data, browser cookies, biometric data or any other information that could identify an EU individual.
GDPR has raised the bar for protecting consumer information, and requires tracking of EU personal data from collection to disposal. However, GDPR can also become a business opportunity, with data privacy serving as a competitive differentiator and creating a blueprint to address additional new privacy laws.
Noncompliance with GDPR can result in significant financial penalties, up to 4 percent of global revenue or 20 million euro, whichever is greater. Middle market companies must be prepared, as enforcement actions are expected against the sector first to establish a foundation for pursuing penalties against larger companies.
“While many executives have been dismissive of the impact of GDPR on their organization, they may be ignoring a very significant warning in a way that will cause significant pain later,” said Geopfert. “GDPR is an indicator of the very likely course of upcoming privacy laws in the United States, as well as other international locations.
Organizations would be well served to start implementing GDPR-style processes around data privacy, consent and “right to be forgotten” so that when such laws inevitably come to the United States or regulatory agencies, organizations can avoid the perspective of having to deploy such controls in a compressed timeline.”