EXCLUSIVE— While businesses and banks in the United Kingdom are moving (slowly) towards compliance with the General Data Protection Regulation, many U.S. companies are still figuring out if the regulation applies to them.
Unfortunately, these companies have precious little time to waste, according to the GDPR Beyond Borders conference that took place in NYC yesterday: the deadline to comply with the GDPR law, a data regulation that will closely curtail how consumer information (including medical and financial) can be used, is May 25, 2018.
Fortunately, as the regulation only affects the data for EU citizens, the only U.S. companies that need to be concerned are those that have “anything to do with the European market or data,” Antonis Patrikios, partner, privacy, security, and information, for law firm Fieldfisher, said during a panel discussion at the conference yesterday.
The regulation, which surrounds data privacy, could have a ripple effect on the way consumers approach the use of their data, Patrikios said, adding that the way GDPR is set up “looks very much like a U.S. class action regime.”
In other words, consumers in other countries might start seeking the same protections E.U. citizens are about to have, he said. The regulation “will influence legal regimes in other parts of the world—maybe not the U.S., but Asia and the Pacific,” Patrikios said.
One of the reasons U.S. companies should start looking into their GDPR compliance sooner rather than later is the consequences: non-compliant companies could be fined €20 million, or 4% of their turnover, for misuse of an EU citizen’s data, Pierre-Nicolas Schwab, chairman of the big data initiative for the European Broadcasting Union, said during the event.
This, as well as the fact that it’s almost impossible to avoid dealing with data from the European market, is why mobile marketing company Braze (formerly Appboy) is “treating everyone like an EU citizen,” Susan Wiseman, SVP, general counsel and corporate secretary for the company, said at yesterday’s event.
One of the problems for companies who need to become compliant is the regulation itself—parts of it were left deliberately vague, Wiseman said, and other complications could make it quite difficult for businesses to fully support the regulation.
“The people who made GDPR don’t really understand technology,” Wiseman said. “There’s requirements for GDPR that technology just doesn’t do.”