In this month's newsletter, we outline how Connected Risk will transform Regulation
Are you GDPR Compliant?
07 February 2018 | Blog Post
In the next of our series on the top Connected Risks in 2018, we analyse the impending GDPR regulation. The latest Russell White Paper, The Year Ahead: Risks and Opportunities in 2018 can be downloaded here.
With just over four months to go before the GDPR goes live on 18th May 2018, later in the year we will study the implications for international data protection standards and potential threats posed to business resilience, national security and critical infrastructure in today’s connected digital age. In the meantime, most top UK and US firms are still overestimating their state of readiness, a study by international law firm Paul Hastings suggests.
Although 94% of FTSE 350 companies and 98% of Fortune 500 companies believe they are on track to comply with the GDPR by the May deadline, the report suggests that levels of readiness may not be so advanced. In reality, less than half of firms (39% in the UK and 47% in the US) have set up an internal GDPR taskforce, only a third are hiring a third-party to conduct a GDPR gap analysis, and roughly only a third are hiring a third-party consultant to assist with compliance, all of which suggests many companies are not as well-prepared as they think.
Failure to comply by any company anywhere in the world that does business with Europe and holds personal data about EU residents – for purposes such as profiling and big data analysis – could result in fines of up to €20m or 4% of its global turnover, whichever is the greater.
Another survey published in November 2017 by cloud security firm HyTrust revealed as little as 22% of US organisations are concerned about the GDPR and have a plan in place. The survey included respondents from key industries, including government/military, financial/insurance, healthcare/biotech, manufacturing, transportation/shipping and technology.
More than half (51%) of respondents said their organisation is either not concerned about GDPR or is unaware of its relevance to their business. That’s all very well from a business point of view. Fines will be levied, reputations will be sullied when regulators intervene and the ensuing publicity hits the media. What is also interesting, however, are the potential geo-political implications of the EU inspired regulation.
In theory, the EU regulator has the power to levy huge fines on U.S. (or other regions) businesses, healthcare providers, charities, individuals and other institutions that fail to comply. It will be interesting to see the reactions of the current U.S. Government administration if/when the fines land on corporate America’s CEOs desktops in 2018 or more likely 2019.