News

GDPR: How the EU’s New Data Privacy Law Impact U.S. Companies

The new EU data protection law GDPR may carry significant cost and risk implications for many U.S. firms operating in Europe. Jack Yang, Visa’s Chief Privacy Officer and Head of Data Use, referred to the new regulation as a “game-changer”.

Data Liability Extends to Third-Party Vendors

In December 2015, the EU reached an agreement on language for the General Data Protection Regulation (GDPR)—a single law to replace the various data protection laws of the EU countries. GDPR expands the scope of data privacy protection in the EU, which greatly impacts how businesses collect, store, and transfer data. Liability for non-compliance (also extending to third-party vendors) could result in fines of up to four percent of total global sales.

Safe Harbor 2.0?

Companies had previously been able to rely on Safe Harbor, which allowed for the legal transfer of EU customer data. The European Court of Justice struck down Safe Harbor in October 2015.

While regulators are working on a new Safe Harbor, the absence of a current legal framework for data transfer means that companies affected may already be in violation and subject to penalty. With the new EU legislation, companies will need to prove that data transferred is encrypted or scrambled to a high enough industrial level to be thoroughly protected, or companies will need to relocate their data servers physically. Data breaches that carry substantial risk must to be reported to regulators within 72 hours. Companies that process data on a large scale are expected to have a data privacy officer on staff to ensure compliance

Need to Review Operational Strategy

The European Council plans to adopt GDPR in early 2016, with enforcement taking place in 2018. Still, businesses are already looking to review their data compliance practices, due to the complexities involved in implementation.

According to Computer Weekly, recent surveys of international companies affected are showing that two-thirds of them are expecting increased costs of doing business and a need to review strategy. This includes training employees on data privacy, updating data privacy policies, addressing data breech monitoring, and hiring subject-matter experts or a data privacy officer.

Request a Custom Quote

Have a specific question about a product? A CT Specialist will follow up with a custom quote along with a comprehensive assessment of your needs.