No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

A Majority of U.S. Businesses Ill-Prepared for GDPR

by Greg Sparrow
June 22, 2018
in Data Privacy, Featured
judge's gavel on 100 dollar bills

How to Achieve Compliance

Greg Sparrow addresses the issues of the General Data Protection Regulation (GDPR) and preventative actions that must be taken to ensure organizational compliance. Through a “GDPR Readiness Survey” sponsored by CompliancePoint, Greg touches on the research findings and draws probability conclusions.

The General Data Protection Regulation (GDPR) is an EU-based regulation that requires businesses to protect the personal data and the privacy of any European Union natural persons when transactions occur within EU states. Data protected under the GDPR includes identifiable information (names, addresses, dates of births), web-based data, health and genetic data and biometric data. These bylaws were officially enforceable as of May 25, 2018 and apply to all businesses interacting and performing marketing tasks to EU data subjects. The GDPR is based on the precedent that private information always is, or should be, private and that individuals have rights surrounding that data. The exact words according to the GDPR are that “data protection is a fundamental right.”

Despite a two-year grace window that companies were allotted to prepare for GDPR compliance when the regulation was first approved in 2016, a recent survey study titled “GDPR Readiness Survey” shows that very few are 100 percent compliant. The survey found that only 29 percent of the participants were actually aware of the GDPR, 44 percent said they were somewhat aware and 29 percent said they were completely unaware. The survey also found that only 24 percent of businesses felt that they were prepared for the GDPR, and 31 percent felt they were somewhat prepared. This is compared to the 36 percent of business that said they did not feel prepared and another 9 percent that said they were unsure. These numbers seem to be alarming simply due to the fact that one infraction can cost a noncompliant business millions in revenue. It can be assumed that companies who are not fully aware or fully prepared face enormous risk when working with any customers who may be based in the EU.

Furthermore, the GDPR Readiness Survey also found that 45.6 percent of businesses reported that they have not become compliant because they are waiting to see what enforcement comes from the regulation. However, as more companies see initial fines, this number will likely drop. The GDPR notes that, under certain circumstances, it is a requirement for companies practicing business in the EU to hire a Data Protection Officer (DPO) to ensure compliance with the regulation. The DPO serves to be responsible for informing and advising organizations of their obligations under the regulation, monitoring compliance with the regulation, responding to requests from data subjects and cooperating with the supervisory authorities, including reporting breaches that result in risk to those affected within 72 hours as required by the GDPR. When a DPO is required, appointing someone to this position will be just a small aspect those 45.6 percent of businesses will need to accomplish to become compliant with the requirements under the GDPR.

According to the GDPR website itself, fines administered for noncompliance and the amounts levied depend on 10 key criteria: the nature of infringement, intention, mitigation, preventative measures, history of violations, level of cooperation with the supervisory authorities, data types, notification, data protection certifications and “other.”

Infractions that are considered lower-level violations, such as not having data records in order, failing to notify the supervisory authority and data subject about a breach or not conducting privacy impact assessments, are subject to a fine of up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher. Infractions that are considered upper-level violations, such as violations of basic principles related to data security and conditions for consumer consent, violations of data subject rights and transfers of personal data to third parties or international organizations that do not ensure an adequate level of data protection, are subject to as much as a €20 million penalty, or 4 percent of the worldwide annual revenue, whichever is higher.

In addition to the above findings, 39.7 percent of business responded that they lack regulatory understanding, which is holding them back from working toward meeting the data protection standards. The EU has yet to issue an official assessment criteria and thus increases difficulty for businesses to implement a solution when there is no telling how regulators will officially evaluate them. In the same survey, 36.8 percent of businesses said their lack of budget was a factor in compliance failure, while another 33.8 percent noted low brand visibility, concluding they feel safer as a small company that may not be targeted as easily. Additionally, 27.9 percent of businesses said they were unconcerned with being GDPR compliant. Respondents did not report whether they were unconcerned due to lack of understanding, lack of threat or lack of business presence in the EU.

The topic of data privacy and protection is not a new one for those living within the EU. The GDPR actually replaces a similar directive that was put into effect in 1995 when the internet was gaining tremendous attention while increasing further in its consumer usability. Since then, the way web giants such as Google and Amazon utilize their customers’ data has become so complex in nature that customers oftentimes don’t realize what personal information has been stored. The GDPR differs from privacy regulations in the United States, as the American approach to information privacy is comprehensive in nature.

For example, a hospital will store different information than a retail organization, and a retail organization will store different information than an online marketplace. The U.S. holds certain privacy protection acts and standards as implemented by HIPAA, PCI DSS and other smaller bits of privacy; however, the GDPR keeps the issue of privacy extremely simple. It doesn’t matter if the data is regarding credit information, health care records or simply an online social profile – it is all protected the same. Of the respondents polled in the GDPR survey, nearly half (48.5 percent) with knowledge of the GDPR said that the requirement they anticipated being the most challenging was maintaining records of processing, followed by 39.7 percent reporting that consent would be the most challenging.

Supported by data collected from the U.S. Small Business Administration (SBA), the GDPR may certainly pose direct risks to U.S. businesses. According to the SBA, 98 percent of businesses export goods internationally, putting them within the jurisdiction of the GDPR. The first steps any company must consider to mitigate their exposure to fines or risk includes understanding the regulations and how data is used within the organization. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing personal data. Using the trusted counsel of a compliance firm can help organizations quickly identify both industry and organizational risk that, as a non-biased third party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk and set up ongoing monitoring programs to maintain valuable records of compliance.

To adequately become compliant with the GDPR and similar regulations, businesses must become educated on these regulations and determine how to conquer the requirements. Applicable data protection processes and procedures can not only help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and earn their trust.


Tags: GDPRPersonally Identifiable Information (PII)
Previous Post

Doctor Blockchain Will See You Now

Next Post

Enhanced Regulatory Environment Set to Fundamentally Disrupt CFD Trading Industry

Greg Sparrow

Greg Sparrow

Greg Sparrow is Senior Vice President and General Manager at CompliancePoint. Greg has enjoyed over 17 years of experience in privacy, information security and risk management. Greg has had the pleasure of working on both US based and international projects. He was responsible for the development and implementation of the security program’s responsible for protecting billions of dollars in annual transaction volume. Greg’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. Greg holds multiple IT and security certifications covering the Healthcare Industry, Payment Card Industry and federal banking standards.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
Enhanced Regulatory Environment Set to Fundamentally Disrupt CFD Trading Industry

Enhanced Regulatory Environment Set to Fundamentally Disrupt CFD Trading Industry

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT