U.S. organizations are taking General Data Protection Regulation (GDPR) compliance at least as seriously as their European Union counterparts, according to a recent survey commissioned by Veritas Technologies.
The GDPR passed in the EU will put in place privacy rules across all EU countries. Organizations that fail to comply can be fined up to 20 million Euros or 4% of their worldwide revenue. The regulations call for organizations to disclose retention times for personal information and allow customers to demand organizations to erase their personal data if they do not consent to its collection. In many cases, companies must notify authorities of data breaches within 24 hours. To reach GDPR compliance, many companies must make significant changes to their business practices around collecting and storing data. Organizations must be compliant by May 26, 2018.
In a survey of 900 companies worldwide with at least 1,000 employees, Veritas found less than 31% of global companies meet the minimum standards today. That may not be a great surprise, considering companies still have nearly 14 months to comply. But it is a surprise that U.S organizations are running ahead of those in the U.K. and European Union in meeting GDPR compliance. Of 200 U.S. companies in the survey, 35% were in compliance, and U.S. companies plan on spending 20% more than European companies to comply.
A PwC survey released in January that polled 200 U.S. companies with more than 500 employees found 77% plan to spend at least $1 million on GDPR compliance.
“The expectation was that European organizations would be further ahead,” said Zach Bosin, Veritas director of solutions marketing. “But American companies have taken a thoughtful approach and started investing in becoming compliant.”
Why should U.S. companies care about an EU regulation? Because GDPR applies to any data held in connection to an EU resident. Any U.S. organization selling to customers in Europe would have to follow GDPR guidelines. That includes e-commerce companies who reach a global customer base.
Organizations need to know what personally identifiable information (PII) they have on European residents, and they must be able to present that information upon request by consumers to be in GDPR compliance.
Veritas and other data protection vendors say they can help because their technology is already used to store vast amounts of companies’ data in backup and archiving systems. Bosin said Veritas has created a framework for staying GDPR compliant built around its products such as NetBackup, Enterprise Vault, Data Insight and its Resiliency Platform. The vendor is also offering assessment services to help organizations gain GDPR compliance.
Bosin said the five key stages for becoming GDPR compliant are locating the relevant data, searching it, minimizing data through retention and deletion policies, protecting data transparently with audit report and monitoring data so a company can respond to a breach within 72 hours.
“We will integrate more advance search, classification, and protection tools in our products,” Bosin said.