toy car on a map of northern europe

Why US Companies Must Prepare for the EU’s New Data Security Laws

4 minute read
Tim Critchley avatar

Enterprise data breaches continue to grow at an alarming rate.

There were 974 disclosed data breaches in the first half of 2016 alone, resulting in the theft or loss of more than 554 million consumer data records. That’s a rate of nearly 3.04 million records compromised every day.

Yet despite these alarming numbers, the US has no single, comprehensive, national law regulating the collection and use of individuals’ personal data. Instead, the US has a patchwork system of federal and state laws and regulations that sometimes overlap, and at other times outright contradict each other.

Too Much Information?

At the same time, in today’s digital age, people are sharing greater volumes of personal information than ever before — through the internet, social media, mobile applications, cloud computing systems and other channels.

This makes it increasingly difficult for individuals to control where, when and how their data is processed.

The European Union’s General Data Protection Regulation (GDPR) was developed with the goal of creating a comprehensive framework across the European Union (EU) that would better protect peoples’ personal data and also simplify business rules for companies operating there.

The Impact of the GDPR

However, many US companies may not realize that they might also have to comply with this new EU data security regulation.

That’s because the GDPR applies to any business that holds data about, or which markets to individuals within the EU. So even if you are a US-based company, if you hold or process data pertaining to any EU citizens, you must comply with the GDPR.

Businesses that do not comply can face fines of up to 4 percent of their annual global revenue or €20 million (about $21.37 million) — whichever is greater — and can have class action lawsuits brought against them by EU citizens.

If your company operates outside the EU, you may be unsure exactly how the GDPR will impact your business.

The good news is that GDPR may become one of the first truly global security frameworks, standardizing and simplifying business processes.

Companies in the US know complying with the country’s patchwork of regulations and industry standards is not without its challenges. In fact, the more we explore, the more we realize that specific security standards governing the routine data operations in enterprises are few and far between.

Perhaps the closest thing to a global enterprise security requirement would be the Payment Card Industry Data Security Standard (PCI DSS).

However, PCI DSS isn’t in the same league as the GDPR because, while it does include penalties for non-compliance, it is a self-regulated industry standard and does not carry the weight of a law.

Learning Opportunities

One Data Security Framework

The various state and federal laws, as well as industry standards like PCI DSS, have created an operational nightmare for large enterprises and potentially even increase the likelihood of a data breach.

That’s because in an attempt to reduce complexity, many organizations opt to run their compliance programs by simply checking a box for each requirement before moving onto the next standard’s requirement.

Often, the system changes designed to meet the second standard create data security issues with the first. Governance, Risk Management and Compliance (GRC) software can only go so far in preventing these situations and making sure each requirement is met.

Is it possible to have a single international set of standards that meets all data security and privacy needs?

Can a framework be developed that simplifies the regulatory environment for international business, incentivizes participation and penalizes non-compliance (at an appropriate level)?

GDPR: A Step Forward

Given the unique qualities of the GDPR outlined above, I suggest it is a step in this direction. The rollout and adoption of the GDPR is a positive move to define a very specific goal for data privacy for all global citizens, while also standardizing the necessary processes and requirements businesses need to meet that objective.

While it isn’t perfect, the GDPR does start to create a new international guide for data security that IT security professionals should embrace.

While it doesn’t take effect until May 2018, companies should start preparing now. Taking the time to understand the requirements will enable businesses to plan accordingly and minimize risk.

Many organizations may need to establish new procedures aiming to minimize data processing and retention of data, as well as build in safeguards for all data processing activities. Additionally, organizations will want to take the time to make all employees fully aware of the changes and train them on new policies and procedures.

While the transition may seem daunting, IT security professionals should take heart in the fact that the GDPR could finally be the toolkit needed to help their business ensure that the sensitive data of customers and employees remains stringently protected in a uniform manner, wherever it resides.

About the author

Tim Critchley

Tim Critchley is the CEO of Semafone. He has led the company from a UK startup to an international business that spans five continents.