Many U.S. Companies Unaware that the GDPR Applies to Them

With just over three weeks to go until the May 25, 2018, deadline, many U.S. companies are woefully unprepared for the EU’s new General Data Protection Regulation, or GDPR. In fact, quite a few of them don’t yet realize they have to achieve GDPR compliance. A new survey by CompTIA found that “A full 52 percent of 400 U.S. companies surveyed are either still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure.” Additional findings from the CompTIA study include: * Only 13% of U.S. companies surveyed reported having achieved full GDPR compliance, with 23% “mostly compliant” and 12% “somewhat compliant.” * Only 25% of U.S. companies surveyed reported being “very” familiar with the GDPR. * Only 22% of U.S. companies surveyed have developed a GDPR compliance plan, and only 21% have conducted data audits and readiness assessments * Nearly one-third of U.S. companies surveyed mistakenly believe that the deadline for GDPR compliance is the end of 2018. * 64% of U.S. companies surveyed are unaware of the [very stiff] penalties for not complying with the GDPR. Respondents to the CompTIA survey listed accountability and allowing users to correct inaccuracies; data transparency and the rights of users to access their data; user consent; data portability; and the “right to be forgotten” as the most challenging aspects of GDPR compliance. U.S. Companies and GDPR Compliance The applicability of the GDPR to your business is not based on where your company is located, but on where your customers are located. If you conduct business with any individuals or organizations in the European Union, you must comply with the GDPR. Further, in addition to customer data; it also governs employee and human resources data. How serious is the EU about enforcing GDPR compliance among U.S. companies? Last week, EU authorities flatly rejected a request from U.S.-based ICANN, which is in charge of the WHOIS “internet phonebook,” for more time to make WHOIS GDPR-compliant. Yes, that ICANN, and that WHOIS. This was not foisted on ICANN at the last moment; the organization had a two-year lead time to come up with a solution but dragged its feet. Because of the ICANN GDPR debacle, cyber security experts, law enforcement agencies, and IP atto eys fear that the WHOIS directory will become fragmented or go dark on May 25. What Does the EU GDPR Mean for U.S. Companies? The GDPR is arguably the most comprehensive, far-reaching data privacy law ever enacted. Among other things: * It will require impacted companies to fundamentally alter their data governance and bake data security into their products, policies, procedures, and systems from day one. * It will hold your organization responsible if one of your third-party vendors is breached. * It grants EU “data subjects” sweeping data privacy rights, including data portability, the right to access their data, the right to withdraw consent, and the “right to be forgotten.” * It mandates that organizations notify the authorities and affected customers within 72 hours of detecting a breach. Much like HIPAA, the GDPR specifies what organizations must achieve, but it does not prescribe the specific technical controls to get there.