by Oleg Shvaikovsky, Board Member at Nortal, March 2, 2018
A quick scan of the web will yield dozens of articles, ranging from the alarming to the reassuring, about how prepared US companies are for the EU’s new General Data Protection Regulation. With the May 25 compliance deadline fast approaching, such noise is only likely to grow.
Scratch the surface of these articles, however, and you’ll see that they’re based on surveys that are either out of date or focused only on a very narrow band of the corporate spectrum. For instance, authors of some recently-published pieces are still quoting a PwC Pulse survey, which they may not realize is based on 2016 data. Other surveys commonly used as evidence polled only a small sample of Fortune 500 companies or startups.
The longer you delay starting #GDPR transition, the harder it will be to find an available, qualified #DPO
While such polls may have been useful in their original contexts, they do little to paint an overall picture of the current state of GDPR readiness in the US. We’re lacking a fresh, broad-based survey that answers the fundamental question: Of all US companies that will fall under GDPR, how many are really ready?
At present, all we have are hints. We don’t really know.
For C-suite managers who have yet to take action on GDPR, it might be tempting to assume that the number of unprepared companies in the US is large, and therefore further delay isn’t a real problem. After all, EU regulators are less likely to get around to looking at a single US company amid the chaos. Those hefty fines for non-compliance – equivalent to US$24 million or 4 percent of annual turnover – are then less of a risk.
That approach ignores some important dangers. Starting May 25, companies open themselves up to expensive litigation for violation claims or worse, damage to their reputations for not handling private data the way the law requires.
In addition, the longer a company delays in starting its GDPR transition, the harder it will be to find an available, qualified Data Protection Officer in case one is needed.
On the positive side, there is still time left. Keep in mind that GDPR compliance doesn’t have to be treated as a burden – it can be turned into an investment.
There’s no question that this is going to be a complex transition. Success or failure ultimately depends on the willingness of managers to step up, get started and see it through.