Most companies on the scale of the ones subject to the law will already have a data protection officer or something similar. But will that position be in compliance with Article 36, which stipulates, among other things, that the officer be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data,” or Article 39, which lays out the officer’s six tasks, one of which invokes the stipulations of Article 35, the law about assessing data protection initiatives, which itself refers to multiple other articles?
When overseas businesses encounter this thicket of regulations, they might be tempted to just give up. But some are embracing the challenge by hiring employees whose job is solely to investigate GDPR compliance. The need for more data oversight, especially at multinationals with decentralized offices, could be a reason to bring data to the C-suite by hiring a chief data officer (CDO), something Gartner estimates 90% of large organizations will do by 2019.
Thrusting data oversight to the forefront is a smart bet in the age of high-profile breaches, such as 1.5 billion accounts hacked from Yahoo 2 years ago. Breaches can ruin individuals’ lives, damage businesses sales, and erode public trust. In the case of Yahoo, a breach can lead to the largest class action lawsuit in history. Had GDPR been in effect in 2015, Yahoo, with $4.9 billion in revenue, could have been fined almost $200 million.
What’s Ahead
Can GDPR represent an opportunity? In their most organic state, businesses reject regulations; what enterprise wants to be told to tamp down on the money-making? But, deep down, businesses know they need arbiters of fair play. And the best ones play the rules to their advantage. With the unprecedented GDPR looming, savvy organizations have already started internal audits of data. They are dusting off old servers, peeling away the layers of amalgamated security and storage systems, and planning for the future strategically. They are aware that, although the GDPR won’t undergo wholesale changes for many years, commerce will continue to modernize—cloud computing, AI, Internet of Things, augmented reality, and the end of smartphones. As everything digitizes, data increases exponentially. If it is not safe and secure, it is not valuable.
As businesses undergo the GDPR adoption process, they will discover that their situation is not, in fact, so unprecedented. It was only 15 years ago that the U.S. passed the Sarbanes-Oxley Act (SOX) to protect shareholders, workers, and consumers from corporate accounting fraud. Grown from the disastrous financial scandals of Enron, Tyco, WorldCom, and others, SOX forced companies to keep meticulous, sophisticated data records that were subject to outside audit and came with steep penalties of not just money but imprisonment.
While the legislation passed Congress with near-unanimous support, over the early years of implementation, the law garnered praise and criticism alike. So perhaps it is not striking to see how it continues to get lumped in with other federal regulations as an IT headache. But what such treatment shows is that SOX compliance invariably leads to cost savings and business satisfaction. In one recent poll, three-quarters of financial advisors said that their clients would benefit if all public companies were subject to SOX’s controversial Section 404 requirement, which mandates them to report on the effectiveness of their internal financial controls.
When severe situations call for new systems of oversight, the winners are those that don’t panic and do their due diligence. Technology will still drive human interconnectivity, and governments will continue to preserve that still-coveted human desire called privacy. Opportunities for seemingly unlikely players—U.S. businesses with EU networks—lie everywhere in between.