Communications Litigation Today was a Warren News publication.
Advice: Don't Panic

Some US Companies Struggling With GDPR Readiness

March 9, 2018 by Dugie Standeford|Top News

U.S. companies are generally taking the EU general data protection regulation seriously, but many will struggle to achieve compliance by the May 25 deadline, privacy experts said. There's a perception in Europe that American businesses are ahead in the rush to meet GDPR requirements, but one expert thinks European organizations are better prepared. Challenges for U.S. businesses are getting management buy-in, the absence of a strong American concept of data privacy, and the difficulties of finding all GDPR-relevant data across organizations, observers said.

The perception is that Europe has the GDPR figured out while U.S. companies lag, said Greg Sparrow, senior vice president-general manager of CompliancePoint, which advises U.S.-based multinationals. At a recent workshop with businesses from mom-and-pops to Fortune 500 companies, the vast majority either had some awareness of the regulation or were just now trying to get their heads around it, he said. European organizations "are better prepared," said Sparrow. The rest of the world "gets" data privacy, but the U.S. doesn't have a strong concept of privacy and consumer rights, he said. In the U.S., data security has traditionally focused on a system rather than a data life-cycle model, he said. Companies must now superimpose data management concepts such as how to capture and use data and how to build data life cycles into their products and services, he said.

U.S. companies appear to be taking the GDPR seriously, emailed ZwillGen privacy lawyer Melissa Maalouf. With its broad extraterritorial scope, the regulation is essentially creating a global regulatory standard that's generally applicable to all companies that collect and process personal data about EU data subjects, with few exceptions, she said. "Warnings from EU regulators of stringent enforcement, the possibility of hefty fine of up to 4% of annual global turnover, and the ability for data subjects to bring private rights of action for non-compliance, all give teeth to the GDPR in a way that other data protection regimes have been criticized for falling short."

Computer and Communications Industry Association members "have put unprecedented resources to comply with GRPR over the past two years," wrote CCIA Europe Senior Public Policy Manager Alexandre Roure. "A huge amount of work has been done across entire organisations to ensure that they are GDPR ready. Compliance officers, lawyers, engineers, product developers, marketers, etc. -- all have been involved. Tech companies are certainly among the most prepared.” CCIA members include Amazon, Dish Network, Facebook, Google, Netflix, Samsung and Sprint.

The key question is what GDPR "compliance actually means," said Maalouf. She said the Article 29 Data Protection Working Party (WP29) and other EU regulators have provided some guidance, but "many unanswered questions" remain about how the measure will be enforced and how EU courts "will interpret its complex and often vague provisions." Maalouf sees many U.S. businesses working toward "compliance" by considering their unique risk profile, such as the company's general size and complexity, whether it has a physical presence in the EU and the size of its European operations, how many people's personal data it processes, and how much revenue it derives from the EU.

Despite "tremendous time and resources" U.S. companies are spending on GDPR compliance, "there are still many companies and vendors that while technically subject to the GDPR, are not even aware of its existence or its broad extraterritorial scope," Maalouf said. And she noted "GDPR compliance will not end on May 25, May 25 will just be the beginning." Sparrow doesn't think most U.S. companies will be ready because of a lack of management leadership.

Compliance 'Culture' Sought

One key stumbling block is the lack of a "culture" of GDPR compliance, Maalouf and Sparrow said. Another is the difficulty of finding and mapping all data collected and circulated through a company, they said. Organizations aren't sure how to secure consent from existing customers to retain ongoing relationships with them given that, offered the choice, many people are likely to opt out of marketing, said Sparrow. Organizations often provide their customer data to other vendors and must now decide how to deal with such risks, he said.

GDPR compliance "requires resources and good project planning," emailed Hogan Lovells data protection attorney Eduardo Ustaran. Much of the challenge arises because, though compliance with the current data protection law should help, "not many organisations have devoted the necessary attention to this issue and as a result, when faced with a more demanding and high profile framework such as the GDPR, the task is disproportionately huge."

Asked what advice she gives clients about the GDPR, Maalouf said, "To breathe." It's most important to get compliance right and tackle the requirements step by step, she said. The regulation "is really a codification of the concept" of privacy and security by design, which has long been considered a best practice in the U.S., EU and elsewhere, she said. While burdensome, GDPR compliance also will go a long way toward helping a company achieve global privacy compliance, implementing a culture of privacy and security by design, increasing consumer and brand trust, and generally competing on privacy, she said. Ustaran urged companies not to panic, writing in January that they should prioritize by looking for "those issues that are more likely to make a greater contribution towards data protection in practice."

American consumers "may see some ripple effect from the EU's strong data protection rules," Consumer Action said Feb. 27. "We're hopeful that all consumers will benefit from stricter data security, gain a reasonable measure of control over their personal information and benefit from the EU's strong regulation," said Director-National Priorities Linda Sherry. It mostly will be the enormous global companies that harmonize data practices with the GDPR, she emailed. However, since U.S. enterprises that want to process EU citizens' data must sign up to Privacy Shield, "we feel that companies will do so," she said.

"While the implications for both technology companies and publishers are potentially enormous, the regulation has seen little public discussion in the US," said the Columbia Journalism Review Thursday. News publishers may not be the primary target of the regulation, but as organizations that use tools and carry advertisements that collect data about readers, they will be required to comply, it said. Key provisions for publishers are obtaining user consent and complying with the right to be forgotten, CJR said. It cited a 15,000-some word Columbia Graduate School of Journalism Tow Center for Digital Journalism report for publishers on GDPR.

ICANN, which meets next week in Puerto Rico, will have sessions on GDPR compliance and recently met with WP29, President Göran Marby blogged Wednesday. IAB Europe Thursday published draft technical specifications for its GDPR transparency and consent framework for public comment.

Editor's note: This is Part III in an occasional series of stories about how stakeholders are grappling with GDPR. Part I looked at domain-name stakeholder compliance, namely at ICANN: 1801290027. Part II looked at corporate efforts in Europe: 1802070001.