Dive Brief:
- GDPR may be deterring some American businesses from operating in the European Union, according to a CompTIA survey of 400 executives and professionals across industries and businesses in the U.S. Around one-third of businesses don't think the regulation will impact their EU business, and another third think it will negatively impact willingness to do business in countries under GDPR's scope. The remaining companies are unsure.
- Confusion abounds over GDPR's geographic scope and what type of companies it will affect. Only one-quarter reported being "very familiar" with GDPR, and around 30% believe the regulation doesn't take effect until the end of the calendar year. Around two-thirds of American companies are unaware of the fines imposed by GDPR for noncompliance — 4% of global annual turnover or approximately $23.8 million (whichever is greater).
- About half of respondent companies are either fully, mostly or somewhat compliant, and despite associated costs most reported secondary benefits from conducting data audits, readiness assessments and other compliance measures.
Dive Insight:
Compliance efforts have been lagging around the world, but for companies outside of the European Union, deferring to a foreign regulation and upending internal processes to comply may be counterintuitive. GDPR may not readily apply to companies without an EU footprint or user base, but as more vendors and providers roll out global compliance solutions and have to hold partners accountable, businesses that thought they were exempt could still be caught in the crosshairs.
Google, for example, released requirements for advertisers and publishers on its platform related to user consent and paths to revoke that consent. An American company confined to the geographic regions outside of the EU is still subject to these policies.
Box, a cloud content management company, assesses and audits vendors handling personal data in accordance with GDPR compliance mandates. If an American company wants to do business with this Silicon Valley-based cloud company, it too must meet the new data protection standards.
Even when compliance doesn't appear mandatory or unavoidable, recognizing and adjusting to the new global data protection paradigm being ushered in by GDPR can be beneficial for a business in the long run. GDPR is ultimately a tool to protect the data rights and privacy of individuals, and by holding companies accountable to these individuals promotes data-centric business models and cultures.