3 reasons why a ‘wait and see’ approach to GDPR will be costly for US organisations

26 Oct 2017

Image: paikong/Shutterstock

GDPR will help you gain more business in Europe, so it’s time to implement this new data regulation before the May 2018 deadline, writes Patrick Lastennet from Interxion.

The General Data Protection Regulation (GDPR) is the talk of the business town, at least over here in my native UK. If you somehow managed to escape this, the abbreviation refers to the major new European Union legislation due to come into effect seven months from now.

From 25 May 2018, any organisation that controls or processes personally identifiable information about EU citizens must have stringent organisational and technical measures in place (or ‘privacy by design’, as it has been dubbed) to comply with the GDPR.

The new rules are outlined on the regulation website, but include requirements such as mandatory breach notification and the right of data subjects to receive confirmation as to whether their personal data is being processed, and for what purpose.

Why should US businesses care? In fact, those that have customers in Europe or even those looking to expand across the pond should be deep into their planning and implementation phases to get ready for when the regulation becomes law next May. Yet, research by the analyst firm Gartner has already shown that more than 50pc of companies affected by GDPR will not be in full compliance with its requirements by the end of the looming deadline.

This is despite the fact that, in a PwC survey of US-based multinationals, 92pc of US companies affected by GDPR cited compliance with it as a top data protection priority.

This is hardly a surprise, given that whenever a new unifying law or big piece of legislation like this is proposed, organisations tend to take a ‘wait and see’ approach, to observe how rules are enforced before they make critical decisions on how far to go with their response. This stance may prove difficult with the GDPR, however, as fines may range as high as €20m (almost $24m) or 4pc of global annual turnover, whichever is greater.

My advice to companies, then, is not to be tempted to wait and see whether the GDPR rules are enforced, or enforced differently in some countries than others.

Indeed, with this unifying data law just around the corner, a passive approach is a poor plan of attack. Companies need to be ready from the start – and here are three key reasons why.

1. Customer data must be safeguarded

There is evidence that suggests privacy sells. Over the last couple of years, the use of ad blocks has significantly increased globally. A recent report by analytics company PageFair showed that ad blocker usage surged 30pc last year. There were 615m devices blocking ads worldwide by the end of 2016, with the key reason for downloading software being security.

There is also a rising awareness from the consumer side on the abuse of personally identifiable information. This is of great importance to consumers. Their data must be safe, so the onus is on organisations to do this going forward because, first and foremost, it’s the right thing to do and the ethical way to do business, no matter the headache it causes at the start.

2. GDPR rules aren’t luxuries, they’re solid best practices

The GDPR is the biggest shake-up to data privacy in a generation, but organisations must remember the overriding principle of these new regulations: to unify data laws across the European continent in order to shift the burden of proof from individuals to organisations. That means that the new rules act as best-practice guidelines for companies to follow. In fact, companies should already have the majority of these in place and now is the best time to start.

A ‘wait and see’ approach makes sense only if the potential risks are outweighed by the efforts required to prevent them. GDPR may require coordination and effort in the beginning but, in most cases, it’s just enforcing best practices for data handling and management, so these are steps that companies should be taking as a matter of course.

3. GDPR will ultimately help you win more business in Europe

Where once citizens needed to show that they were the victims of data misuse or security breaches, organisations must now demonstrate they’ve taken the right pre-emptive actions to protect personal data appropriately. If your company takes the initiative from the start, this will boost your company’s customer base across Europe. Ultimately, proper GDPR compliance will lead to more business wins in the continent.

Beyond the final implications of the GDPR, which are great, the impact on reputation and brand loyalty can lead to greater financial impact in the long run.

With a new piece of legislation, coverage of the first breaches and fines is likely to be major for the companies involved. I urge companies to spend the time now securing their customer data, and not to run the risk of a headline-grabbing fine and the damage to their brand’s reputation by being a test case.

A good starting point is to work with partners that understand the complexities of the European market and regulations, who will help simplify the GDPR compliance process by enabling the security, portability and encryption efforts for your customer data.

By Patrick Lastennet

Patrick Lastennet is director of marketing and business development for the financial services segment at Interxion, a European provider of carrier-neutral data centre services. Prior to joining Interxion, he held a range of senior positions at NYSE Euronext, overseeing the launch of the NYSE Arca Europe multilateral trading facility and leading the group’s European MiFID IT work stream.

A version of this article was originally published by Entrepreneur