American companies, involved in various businesses on a global scale, will be aware that the introduction of the EU GDPR legislation is just months away. As a result, they have made data privacy their top priority to ensure compliance. American companies that hold or process EU citizens’ personal data whether within or outside EU member states will be subjected to these rules.
The USA, however, is not new to the protection of private information and so the implementation of GDPR in some of the American companies will not present significant challenges to businesses. America has had several opportunities before to implement data protection regulation such as HIPAA. Therefore, it is familiar to data protection rules.
Research reveals that over half of multinational corporations have the new General Data Protection Regulation as top of their business agenda. The study conducted by PwC showed that 54% of the top senior executives had prioritized GDPR preparation on their data-privacy and security agenda. Multinationals could have assessed the risks of non-compliance and decided to adjust their schedule to prevent business inconveniences in future. In the survey that involved more than 500 employees and 200 c-suites, it was also discovered that a significant percentage (38%) of managers included the EU regulation as one of the top priorities. Just a small proportion of them did not see the importance of prioritizing the regulation.
The PwC research covered three phases of GDPR compliance; companies that have completed preparations, those whose preparations are underway, and those that are yet to start. The study shows that most of the 71% of firms whose GDPR preparations are underway are more concerned with and working on privacy policies, information security, GDPR gap evaluation and and data discovery. Their preferences slightly differ from those managers that are yet to initiate important GDPR preparations strategies.
A majority of the 23% of the companies that have not started the preparations prioritize information security enhancement, data discovery, gap evaluation and third-party risk management. Companies that have completed GDPR readiness are only 6% according to the finding. The majority of them are concerned with third-party risk management, GDPR gap assessment, data discovery and information security. The survey revealed that I.T. re-architecture is the least prioritized objective for corporations in all the three phases of GDPR readiness.
Mitigating GDPR Compliance Risks
It seems that the prospect of the hefty penalty under GDPR has served its purpose of instilling discipline and widening the scope of viewing issues among many business managers. This can be deduced from the study finding that majority (77%) of companies plan to allocate $1 million or more on GDPR. The allocation would be possibly spent on mitigating the imminent risk of non-compliance. While 68% indicated that they would invest between $1 million and $10 million, 9% actually revealed that their budgetary allocation for GDPR would be over $10 million.
BCRs on the Rise
Regarding the most preferred European Union cross-border transfer mechanism, three quarters (75%) of the respondents revealed that they would use Binding Corporate Rules (BCRs). 77% plan to self-certify to the privacy shield agreement between the European Union and the United States. The study found that 58% of respondents believe that model contracts would be part of the plans given the annulment of the Safe Harbor agreement.
Minimizing GDPR Exposure Risk
The majority of the companies will resort to centralizing their data centers in Europe in order to reduce GDPR risk exposure. 64% of the senior executives believe that doing so will minimize the new EU regulation risk exposure. More than half indicated that they would strategize to de-identify European Personal Data to deal with exposure. Most organizations are evaluating their structures and processes in light of the GDPR requirements.
However, there are many companies that plan to take a short-cut. According to the findings, 32% of the respondents said they plan to reduce business operations in Europe while another 26% will consider leaving the European Union market.