U.S. companies spending millions to satisfy Europe’s GDPR

Ninety-two percent of U.S. multinational companies cited compliance with the looming General Data Protection Regulation (GDPR) as a top data protection priority, according to new research from PwC. Sixty-eight percent are earmarking between $1 million and $10 million on GDPR readiness and compliance efforts, with 9 percent expecting to spend over $10 million, says Jay Cline, PwC’s U.S. privacy leader.

Cline says PwC ‘slatest survey showed that fear remains the biggest motivator for U.S. CIOs, who are “connecting the dots” after watching data breaches lead to lost revenues, regulatory fines and the erosion of consumer trust. “U.S. companies see the connection between doing privacy well and greater revenues and consumer trust,” says Cline, who surveyed 200 CIOs, CISOs and other C-suite executives.

Short of a catastrophic breach, there may not be a better business case for U.S. companies operating in Europe to fortify their cybersecurity and risk management portfolios than the GDPR, which regulators will implement on May 25, 2018 to ensure data protection for individuals within the European Union (EU). Businesses that fail to comply with GDPR’s broad and extensive rules will face a potential 4 percent fine based on their global revenues, potentially worth hundreds of millions of dollars.

GDPR compliance is onerous

The burdens placed by GDPR are overwhelming, even for U.S. multinationals with considerable resources. GDPR stipulates that companies maintain adequate data records; notify regulators in the event of data breaches; ensure customers the right to be forgotten; and enable customers to take their data with them. In some circumstances, such as when data processing is carried out by a public authority, GDPR requires companies to appoint a data protection officer.

Facing these requirements, many enterprises are struggling to revamp their data protection mechanisms and construct risk assessment processes for privacy compliance and security, says Bart Willemsen, a Gartner analyst who has fielded hundreds of client inquiries about GDPR in recent months. They’re also agonizing over how to institute the breach prevention, detection, forensics, remediation and notification measures the GDPR mandates. Businesses are also challenged with both the legal and technical aspects of data residency and location.

“Cross-border transfers and the allowed mechanisms cause concern and require action in both the legal and the IT department, even in vendor selection and procurement processes,” Willemsen says.

CIOs and CISO are turning to encryption (both in transit as well as at rest), tokenization and technologies that enable pseudonymization, including big data analytics, internet of things (IoT) and blockchain. As if these in-house obligations aren’t enough, CIOs must also ensure that their cloud vendors and other third-party partners are adhering to GDPR specifications.

Binding contracts and model clauses

GDPR compliance goes beyond technical and procedural capabilities. Many companies are seeking special contracts to assure regulators and indemnify themselves. So-called model clauses, contracts created between companies and technology vendors to ensure certain data protection standards are met, are being adopted by 58 percent of respondents, says PwC’s Cline

But Cline also says that 75 percent of those surveyed are seeking binding corporate rules for EU cross-border compliance, which essentially allow companies to get an EU regulator to sign off on their data privacy program, policies and procedures. “This allows a company to transfer its European data around the world,” Cline says. “It’s higher bar [to reach] but it’s more flexible in the long term.”

Willemsen says that model clauses and binding corporate rules work best implemented together. “BCRs seem to be the explicit favorite of EU data protection authorities, although I still see organizations also revert to adoption of the standard contractual clauses (or ‘EU Model Clauses’). Some use them in addition to BCR with an overlapping scope, which I think is excellent.”

Despite the three-year advance notice — the EU announced GDPR in 2015 — some enterprises are woefully behind schedule.

While most used the 2016 budget cycle to assess their data protection gaps and aim to fill those gaps in 2017, Cline says 23 percent of respondents hadn’t started preparing to meet GDPR and will find it hard to catch-up. “American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline says.

This no surprise to Willemsen, who wrote in a September research note that over 50 percent of companies affected by the GDPR will not be in full compliance with its requirements by the end of 2018. However, rather than allocating a larger portion of their budget to meet GDPR in the next cycle, companies should dedicate a permanent budget for privacy compliance.

“This is the ethical way to do business,” Willemsen says. “Good privacy safeguarding … should be at the core of your operation, demonstrating value to both client and colleague. Similar to security, if you do it right, privacy [compliance] is a business enabler rather than a stumbling block for those who value consumer trust.”