Ninety-two percent of U.S. multinational companies cited compliance with the looming General Data Protection Regulation (GDPR) as a top data protection priority, according to new research from PwC. Sixty-eight percent are earmarking between $1 million and $10 million on GDPR readiness and compliance efforts, with 9 percent expecting to spend over $10 million, says Jay Cline, PwC’s U.S. privacy leader.
Cline says PwC ‘slatest survey showed that fear remains the biggest motivator for U.S. CIOs, who are “connecting the dots” after watching data breaches lead to lost revenues, regulatory fines and the erosion of consumer trust. “U.S. companies see the connection between doing privacy well and greater revenues and consumer trust,” says Cline, who surveyed 200 CIOs, CISOs and other C-suite executives.
Short of a catastrophic breach, there may not be a better business case for U.S. companies operating in Europe to fortify their cybersecurity and risk management portfolios than the GDPR, which regulators will implement on May 25, 2018 to ensure data protection for individuals within the European Union (EU). Businesses that fail to comply with GDPR’s broad and extensive rules will face a potential 4 percent fine based on their global revenues, potentially worth hundreds of millions of dollars.
GDPR compliance is onerous
The burdens placed by GDPR are overwhelming, even for U.S. multinationals with considerable resources. GDPR stipulates that companies maintain adequate data records; notify regulators in the event of data breaches; ensure customers the right to be forgotten; and enable customers to take their data with them. In some circumstances, such as when data processing is carried out by a public authority, GDPR requires companies to appoint a data protection officer.
Facing these requirements, many enterprises are struggling to revamp their data protection mechanisms and construct risk assessment processes for privacy compliance and security, says Bart Willemsen, a Gartner analyst who has fielded hundreds of client inquiries about GDPR in recent months. They're also agonizing over how to institute the breach prevention, detection, forensics, remediation and notification measures the GDPR mandates. Businesses are also challenged with both the legal and technical aspects of data residency and location.
"Cross-border transfers and the allowed mechanisms cause concern and require action in both the legal and the IT department, even in vendor selection and procurement processes," Willemsen says.
CIOs and CISO are turning to encryption (both in transit as well as at rest), tokenization and technologies that enable pseudonymization, including big data analytics, internet of things (IoT) and blockchain. As if these in-house obligations aren’t enough, CIOs must also ensure that their cloud vendors and other third-party partners are adhering to GDPR specifications.
Sign up for CIO Asia eNewsletters.