What’s 4% of your company’s global annual revenues? Are you prepared to pay this amount in fines?
This is what you might face if you’re not paying attention to new data privacy developments in Europe, as penalties for mishandling European citizen data apply to all companies, not just those headquartered in the European Union.
The two data privacy issues currently looming on the horizon are the EU General Data Protection Regulation (GDPR) and a replacement for the 20-year-old Safe Harbor agreement, which was invalidated in October 2015. The new GDPR would cover all 28 EU nations, providing a comprehensive and unified framework for data protection. The final text, which was released at the end of 2015 after four long years of debate, dictates how businesses will need to handle the lifecycle of citizen data and will have an implementation phase of two years once approved. Safe Harbor, on the other hand, more narrowly addressed only the international transfer of personal data from the EU to the U.S. The initial replacement framework, called the EU-US Privacy Shield, was agreed upon last week by the EU and U.S. Chamber of Commerce, and a full draft is in the process of being finalized.
The problem is that most companies inside or outside of Europe are woefully unprepared to deal with these new data privacy laws. In recent research my company conducted with analyst firm Ovum Research, 52% of global IT leaders reported that they expected fines for their company as a result of GDPR non-compliance, and over two-thirds acknowledged it will force changes in their European business strategy.
One reason most companies expect to face fines is because of the complex nature of data privacy regulations. Information-intensive business processes rely on cloud and mobile technologies, but these technologies sometimes make it hard to control access to data and adequately comply with privacy laws. Nevertheless, businesses will undoubtedly continue to store and share sensitive and regulated data via the cloud and mobile devices in order to perform critical business transactions.
U.S. companies are already paying the price for a lack of concern around data privacy and will continue to be penalized further. Snowden and the NSA have cast a long shadow on how U.S. businesses are viewed outside our borders. Among the 20 largest global economies, the U.S. is ranked as the least trusted country and the most likely to gain unauthorized access to sensitive information, with even China and Russia ranking better, according to the Ovum research report. Additionally, almost two-thirds of respondents (63%) said they think the European GDPR will put U.S. companies at a disadvantage and will favor European-based companies.
Recent EU moves around data sovereignty should be alarming to U.S. businesses. Although we enjoy an environment in which there is no comprehensive information privacy law, and we’re becoming increasingly inured to data breaches and government snooping, data privacy is now a strategic business issue. Act now, or it could cost your company dearly. U.S. businesses must update data management and business practices to comply with what will soon be a global standard and citizen expectation of data privacy.
Ron Hovsepian is president, CEO, and director of Intralinks. Previously he served as president and CEO of Novell and held management and executive positions at IBM, including worldwide general manager of IBM’s distribution industries. He currently serves as a member of the board of directors of ANSYS. He formerly served as managing director with Bear Stearns Asset Management, a technology venture capital fund, and managing director of Internet Capital Group, a venture capital firm.