The United States has “been behind the curve in the privacy arena,” says Ken Stasiak, a principal at RSM US.
American companies will be impacted if they have data about EU residents, he notes. But it is also likely American companies, faced with complying with regulations in one part of the world, will simply decide to apply the standards everywhere they do business.
The possibility of the spread of standards like GDPR was spelled out in mid-May comments on RSM’s special report on mid-market cybersecurity. In those comments, Daimon Geopfert, the firm’s principal and national leader of security and privacy services, said, “GDPR is an indicator of the very likely course of upcoming privacy laws in the U.S., and organizations would be well-served to start implementing GDPR-style processes around data privacy and consent.”.
If nothing else, businesses in this country need to know where data is and if they store data about EU residents because they could face severe fines for violations. Those are 2 percent of a company’s overall revenue “not just in areas under GDPR, but globally,” Stasiak says.
News about GDPR is spreading. Last month, BDO USA and InterEdge announced the launch of GDPR Edge, a blockchain application for increasing security of application code and data. BDO is integrating the application in its governance, risk, and compliance advisory services. Microsoft is promoting the product launch and the system itself utilizes Intel Software Guard Extensions.
Meanwhile Thomson Reuters is promoting the new privacy era on its website under the headline “Data Privacy: a New Dawn in the Age of GDPR”. The page has interviews with a variety of experts, including some from EY, and a section “views from the C Suite”, featuring interviews from C-level leaders from several major companies.
An August 2017 RSM article on cybersecurity notes EU data needs to be segregated form other customer data “much in same way that U.S. organizations now protect and segregate credit card data through network segmentation standards under the Payment Card Industry Data Security Standard.”
It also points out, “ Under GDPR, individuals can request that companies provide all data they maintain about them, and extensive, detailed information about how such data is protected.”
RSM's Stasiak says there are many details to be worked out about how GDPR will be implemented The implementation of HIPAA (Health Insurance Portability and Accountability Act of 1996) probably provides a good analogy for how GDPR will play out. “HIPAA has taken a long time for us government to roll out and hammer out requirements,” he says. Parts of GDPR are likely to take a similar course.
Stasiak says the difference between EU regulations and the American approach is that under GDPR, data privacy must be built into systems from the beginning.
The key question companies must answer about company data is “Do you know where that data is being stored and processed,” Stasiak says.