During the six-year lead-up to the May 25, 2018, effective date of the European Union’s General Data Protection Regulation (GDPR), much attention was focused on the onerous financial penalties for noncompliance.
The maximum penalty is so big that it almost defies comprehension: 4% of an offending organization’s global annual revenue.
However, some companies may not believe that the EU and its member countries will be able to collect such sums after enforcement activity begins, which presumably will happen at some point.
For that or other reasons, more than one in ten (11.7%) of 490 participants in a Deloitte webcast in late June said their companies were taking a “wait and see” approach before moving toward GDPR compliance.
“A lot of people are sitting back and saying, 4%? That’ll never happen,” says Rich Vestuto, managing director, Deloitte Risk and Financial Advisory. “Well, what is the wake-up point, then? One percent? Half a percent? You’d still be talking about a tremendous financial penalty.”
Additionally, 21.2% of those polled said “don’t know” or “not applicable” when asked whether their companies can currently demonstrate a “defensible position” on GDPR compliance.
Only about a third (34.5%) of the audience said “Yes, we can demonstrate compliance today,” while about the same proportion (32.7%) said they expected to be compliant by year-end.
Aside from financial penalties, there is reputational risk in not complying, Vestuto notes.
Some of the laggards may be afflicted with “paralysis by analysis,” he suggests. Others are just overwhelmed by the magnitude of the task.
GDPR is designed to provide data protection and privacy for all individuals within the European Union and the European Economic Area. It imposes on organizations a long list of rules for protecting the data and privacy of customers and employees. It also holds organizations liable for noncompliance by third parties that have access to employee or customer data.
Deloitte polled webcast participants on their compliance efforts with respect to third parties. Just 13.6% of them said their companies “currently know what data third parties have.” That’s a disconnect with the fact that a much larger proportion of participants said they can demonstrate compliance in general, Vestuto points out.
Notably, the regulation requires companies to provide individuals who ask for it with information on what personal data a company possesses and what it’s using the data for.
Even companies that don’t have operations in Europe may be at risk. If a company merely does business with citizens of EU countries — for instance, those that buy something on the company’s website — and fails to protect their data properly, the EU “claims it can penalize the company,” Vestuto notes.
It’s difficult to see willful noncompliance as anything short of foolhardy, because the EU is just the first in a wave of jurisdictions that are expected to adopt GDPR-like measures.
California already has approved regulations, slated to take effect Jan. 1, 2020, “that are every bit as strict as GDPR,” Vestuto says. And it’s widely believed that Australia, Canada, and New Zealand will follow. Fortunately, most of the work done to comply in one jurisdiction likely won’t need to be replicated for others, according to Vestuto.
Meanwhile, data-privacy rules in Europe may put multinational companies in an awkward position with respect to litigation.
As part of the electronic discovery process, U.S. courts typically require litigants to turn over any emails that may be relevant to the case.
“Here in the U.S., the data on my Deloitte laptop is owned by Deloitte,” Vestuto points out. “But within the EU there’s an expectation of privacy, even when you’re on your company’s computers and email servers. A U.S. court won’t care that some potentially relevant emails came from Italy — it will order you to produce them. And an Italian court will say no, you can’t produce those emails, because they contain personal data.”
Information commonly contained in emails such as email address, phone number, and position with one’s employer is all considered personal information in most European countries.
“There already had been a conflict between the EU and the United States on discovery, but GDPR amplifies it that much more,” says Vestuto.
In Deloitte’s poll, 30.6% of participants said GDPR will make the discovery process more difficult, and 34% said “don’t know” or “not applicable.”