The General Data Protection Regulation (GDPR) is perhaps the most significant piece of legislation regarding the storage and processing of data in decades. Due to the fact that its impact is so wide-ranging, the European Union has given businesses approximately two years in order to achieve compliance, with the regulation due to be enforced from 25 May 2018. However, despite this lengthy build-up, many businesses are still not ready, particularly those based in the UK.
US firms on track
US businesses are demonstrating that they are taking the upcoming GDPR very seriously, and your first question may well be, “Why?” After all, as an EU regulation, it isn’t immediately clear why US firms should be preparing at all. However, one of GDPR’s most significant features is that it covers any businesses that handle data on EU citizens, regardless of where those businesses are based. That means the likes of Facebook, Google and Amazon, as well as countless smaller organisations across the pond, all need to achieve compliance.
According to a recent survey, many EU firms cited budgetary constraints as one of the key hurdles preventing GDPR compliance. Many of the world’s biggest and most successful IT firms are located in the US and they have more than enough financial clout to get their systems in order before the 25 May deadline. For smaller firms based in the UK, this is proving more difficult.
GDPR is certainly a lengthy piece of legislation and many companies may feel like they do not have the time, financial resources or expertise to achieve compliance. There are many aspects that businesses will need to consider, as GDPR encompasses rules relating to disaster recovery, data protection officers, security breaches and much more. Fortunately, there is help available. Many third-party vendors, such as Sungard AS, are providing GDPR consultancy services in order to help their clients achieve compliance. Many of these vendors will offer subscription services, meaning smaller firms are likely to be able to afford the costs involved.
Another reason for UK companies lagging behind their US counterparts could be down to the ongoing Brexit confusion. With the UK due to leave the EU in 2019, organisations may be wondering whether they still need to adhere to the incoming regulations. The simple answer is: Yes they do.
The UK will still be an EU member at the time of the 25 May deadline, but even once the UK has left the EU, the majority of businesses will still be subject to GDPR rules – particularly if organisations want to collect data on citizens based on the continent.
Perhaps the most significant reason why UK businesses are lagging behind US businesses is due to complacency. Companies based in the UK have been subject to EU data protection laws for so long that they may feel that achieving GDPR compliance will prove a simple task. However, this would be a dangerous mistake to make. The new GDPR legislation is extremely broad and also comes with significant fines – up to €20 million or 4% of annual worldwide turnover, whichever is greater. If UK businesses still believe that GDPR compliance will be a walk in the park, they could be in for a rude awakening.