The new European General Data Protection Regulation goes into effect next May, with onerous notification requirements and high penalties, but a year might not be enough for firms to get ready.
Recent surveys show that most companies are not prepared for the regulations. According to a recent SailPoint survey, 80 percent see GDPR as a priority, but only 25 percent have an established plan. Gartner estimates that the majority of all companies affected by GDPR will still not be in compliance at the end of 2018.
The general idea behind the law isn't new, he said. Europe has long had a tradition of data protection.
"However, through the GDPR, the European Union has added a great deal of detail and greater enforcement and greater expectations for data protection," he said.
In addition, companies must have a Data Protection Officer, notify authorities without 72 hours of discovering a data breach, and delete private data of customers and employees on request.
All of these pose their own unique challenges.
The Data Protection Officer, for example, is a company employee, but answers to regulators.
"In the United States, this is a very very unusual idea," Wright said. "You hire someone and that someone has an obligation to be talking to a regulator and telling a regulator what the regulator wants to know."
If a company wants to replace its Data Protection Officer, or reprimand or demote them, there will be some obstacles in the way, he added.
"They can claim that they were retaliated against because they were doing their job of cooperating with the regulators," he said. "I my experience, it's a unique challenge in employee governance in Western countries."
Who is affected?
In general, any company that has users in Europe should comply with the new regulations, including online companies with no physical presence in the region. However, some aspects of the law vary based on size of company, types of data collected, where the data is kept, and other factors.
For example, not every company needs to have a Data Protection Officer, said Wright, only larger ones -- but it's not yet exactly clear what the size cut-off is.
Breach notification and penalties
The heart of the law is the breach notification requirements. US companies are already familiar with breach notification because most states have some form of it on their books.
However, GDPR goes a lot further.
Companies are required to report a breach within 72 hours of discovering it. That means that companies have just three days to determine the scope of a breach and whether any sensitive data was lost.
Sign up for CIO Asia eNewsletters.