Time moves quickly when you’re having fun, and it moves even quicker when you’re planning for GDPR. It is now less than one year to go until the new data protection regulation will come into force. But are international organisations just as prepared for GDPR as those in Europe? They should be, because any international organisations processing or controlling personally identifiable information (PII) of European citizens will be impacted by the strict changes to the former EU Directive.
Although companies sitting outside the EU may be aware of GDPR, we find that many are behind the curve in terms of assessing not just the risks but the opportunities. The daunting fines that businesses could face for non-compliance should be enough for anyone to realise the importance of assessing their risk management strategy. But, with the strategic importance of GDPR evident, demonstrating robust privacy controls and trust is also a critical competitive advantage. Failure to do this can mean losing clients to competitors and trust with shareholders. There is also an opportunity to extend the required processes for GDPR into a global strategy, for example, adopting a ‘privacy by design’ approach so that privacy is embedded into all operations and systems. Taking this approach will be an important step in enabling ‘security by design’ for business resilience.
When exploring how the new directive applies to your international business, the following questions need to be considered:
- How will PII data be stored? Should investments be focused on centralising this data in the EU or more towards anonymising it?
- How will GDPR affect cross-border data protection agreements and regional laws?
- Are your global incident response plans taking into consideration the 72-hour breach reporting requirement for EU data?
- Do you have the global resources and time to map out the vast amounts of data in motion across multiple platforms and devices?
- Are parent/group companies accountable for their subsidiary companies
Organisations across the world will be at different levels of readiness for GDPR, from understanding the requirements and effects, initiating a plan, to ensuring the controls already implemented are demonstrating compliance. But wherever you are on your journey, the impact to your business cannot be ignored and organisations would do well to seek help from qualified external partners to understand, navigate and manage the challenges and opportunities they face.
Download our thought leadership paper to learn more about the impacts of the GDPR for international businesses.