How GDPR poses a challenge to American businesses

In the past, compliance requirements were largely driven by U.S.-based regulations, but that has changed with the GDPR being a primary example. The European Union’s parliament approved the GDPR in April 2016, and it is set to become an enforced regulation in May 2018. Because the legislation has been produced by the EU and appears to focus on organisations and individuals within the Union (or shortly to be outside in the case of the UK), many outside its borders have simply ignored it. A recent survey conducted in the US by NTT, for example, suggested that three quarters of businesses there were doing so because they did not believe that the regulation would apply to them.

This is, quite simply, wrong because the legislation applies to any company that does business with persons based in EU member states, no matter where that company may be located around the globe. And a failure to embrace and act on this could be distinctly painful, because the penalties for non-compliance are potentially draconian – a fine of up to €20 million or 4% of global turnover in the previous financial year, whichever is greater.

At its most basic level, the GDPR requires organisations to understand what information they have, who has access to the information and where the information resides. Organisations then need to take the necessary steps to protect privacy-related user information.

GDPR focuses on personally identifiable information [PII]. It can include items such as credit card numbers, Social Security numbers, birthdays and home addresses, which are collected both online and in various aspects of normal business activities. Understanding where data resides is the first step in dealing with the GDPR as it defines where the risk might exist. The regulations state that organisations have to take reasonable steps to secure the information, meaning if the information is breached or compromised in some way, that it is not useful.

There are multiple things that organisations can and should be doing to protect PII, including data encryption. Additionally, activities such as e-discovery, compliance archiving and security content management all play roles in GDPR compliance as well.

Firms are having to allocate resources – buying in legal advice, entering into a lot of IT spend. But too many haven’t got a budget, haven’t got a resourcing plan and time is ticking. And the other problem is that, because this is a completely new regulation, there’s no case law to interpret it so people don’t necessarily understand yet what it will really mean for their business.

There are firms out there, for example, which believe that they might have to delete their entire database. But, one thing is certain – there are going to be a lot more people asking to see their data and being a lot savvier about what is happening to that data. And very few organisations are currently geared up to dealing with that level of scrutiny.

However, the most important thing to do by May 25th is to make sure that you have a roadmap that will eventually make you compliant. It is important to show to regulators that you are involved in considerable effort to be GDPR-compliant.  Seeing GDPR as one big constraint is like swimming against the current. Instead, the organisations that succeed in seeing this as an opportunity will be the front runners.

Many organisations, not only in US but also in Europe, are focusing on keeping to business as usual, while remaining compliant, but maybe that’s the wrong way of thinking. It would be more beneficial to view GDPR as a catalyst to identify where a data driven organisation wants to be in five years’ time, so using it as a springboard for change, an opportunity rather than a hurdle. And remember that, if a firm pursues transparency and control over data relating to professionals they will be on the way to building a genuinely trustworthy organisation.


By Öykü Isik, Assistant Professor, Vlerick Business School

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at