Many U.S. Companies Unaware that the EU GDPR Applies to Them
Yes, U.S. companies must worry about EU GDPR compliance, too. Is your company ready?
With just over three weeks to go until the May 25, 2018, deadline, many U.S. companies are woefully unprepared for the EU’s new General Data Protection Regulation, or GDPR. In fact, quite a few of them don’t yet realize they have to achieve EU GDPR compliance. A new survey by CompTIA found that “A full 52 percent of 400 U.S. companies surveyed are either still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure.”
Additional findings from the CompTIA study include:
- Only 13% of U.S. companies surveyed reported having achieved full EU GDPR compliance, with 23% “mostly compliant” and 12% “somewhat compliant.”
- Only 25% of U.S. companies surveyed reported being “very” familiar with the EU GDPR.
- Only 22% of U.S. companies surveyed have developed a GDPR compliance plan, and only 21% have conducted data audits and readiness assessments
- Nearly one-third of U.S. companies surveyed mistakenly believe that the deadline for GDPR compliance is the end of 2018.
- 64% of U.S. companies surveyed are unaware of the [very stiff] penalties for not complying with the GDPR.
Respondents to the CompTIA survey listed accountability and allowing users to correct inaccuracies; data transparency and the rights of users to access their data; user consent; data portability; and the “right to be forgotten” as the most challenging aspects of EU GDPR compliance.
U.S. Companies and EU GDPR Compliance
The applicability of the GDPR to your business is not based on where your company is located, but on where your customers are located. If you conduct business with any individuals or organizations in the European Union, you must comply with the GDPR. Further, in addition to customer data; it also governs employee and human resources data.
How serious is the EU about enforcing GDPR compliance among U.S. companies? Last week, EU authorities flatly rejected a request from U.S.-based ICANN, which is in charge of the WHOIS “internet phonebook,” for more time to make WHOIS GDPR-compliant. Yes, that ICANN, and that WHOIS. This was not foisted on ICANN at the last moment; the organization had a two-year lead time to come up with a solution but dragged its feet. Because of the ICANN GDPR debacle, cyber security experts, law enforcement agencies, and IP attorneys fear that the WHOIS directory will become fragmented or go dark on May 25.
What Does the EU GDPR Mean for U.S. Companies?
The EU GDPR is arguably the most comprehensive, far-reaching data privacy law ever enacted. Among other things:
- It will require impacted companies to fundamentally alter their data governance and bake data security into their products, policies, procedures, and systems from day one.
- It will hold your organization responsible if one of your third-party vendors is breached.
- It grants EU “data subjects” sweeping data privacy rights, including data portability, the right to access their data, the right to withdraw consent, and the “right to be forgotten.”
- It mandates that organizations notify the authorities and affected customers within 72 hours of detecting a breach.
Much like HIPAA, the EU GDPR specifies what organizations must achieve, but it does not prescribe the specific technical controls to get there.
Is your organization ready for the GDPR compliance deadline on May 25? Lazarus Alliance has a free GDPR readiness tool. Click here to take your GDPR readiness assessment and download your free report today!
The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.