The European Union's latest sweeping consumer online data privacy rules, the General Data Protection Regulation (GDPR), will go into effect in May of 2018, but some 95 percent of business IT departments in the United States have yet to begin preparations to ensure they will meet the requirements of the rules.
That low rate of compliance is troublesome, according to a new study by Spiceworks, which also shows that businesses in many other nations around the world are lagging in their preparations for the GDPR rules. The problem with non-compliance is that any businesses in any country where data is collected about EU residents will be subject to large fines under the upcoming rules, leaving companies vulnerable if they are not prepared. That means that U.S. companies that collect any data – from sales data to marketing data to anything in between – also must comply with the rules if they have customers in the EU.
The seven-page Spiceworks study, "GDPR: The Impact on IT," revealed that only 40 percent of businesses in the United Kingdom (U.K.) and 28 percent of companies in the rest of the EU have begun to prepare for the GDPR rules, which were designed to streamline and codify uniform data privacy laws across Europe to protect all of the citizens of the EU.
Those numbers are lower than expected at this point with the GDPR only 10 months away, Peter Tsai, senior technology analyst for the Spiceworks professional network, told ITPro.
"But we know in general that people procrastinate," he said. "With Windows XP, everybody knew they had to switch, too, but they were dragging their feet."
The GDPR is a new thing for everybody around the world to deal with, said Tsai, and for the U.K. it is even more complicated due to that nation's decision last year to pull out of the EU.
The Spiceworks report, which was conducted in June 2017 and included 779 IT-based respondents from the U.S., the U.K. and the EU from companies small to large, found that nine percent of IT pros in the U.S. said they are very informed about the GDPR. Some 43 percent of U.K. IT respondents and 36 percent of EU respondents also said they were very informed about the upcoming law.
Ultimately, the low number of U.S. businesses that are preparing for the new rules so far means that many will likely be scrambling later if and when they find that the rules will apply to them as well, said Tsai. Fines can be levied on U.S. companies, but a lot of people may not realize that, he said.
"I would think that people would have been preparing earlier," especially with the risk of being penalized or fined, said Tsai. "We expect to see a lot of people getting started soon."
The difficulty is that these things will take time to resolve within IT departments. U.S. companies in general are "woefully uninformed" about the upcoming regulations, said Tsai.
"If people find out they do have to comply three months before the deadline, there's going to be a mad scramble," he said. "That's problematic to say the least."
European companies have been hearing about GDPR since it was approved in 2016, and those companies have also been hearing from vendors and consultants which are offering services to help them comply. In the U.S., it hasn't been in the news every day and the responsibility for it will fall on executives and IT leaders to be sure they are in compliance, said Tsai.
"It's a legal issue and a technical issue, with lots of things on the back end that have to happen to bring it all together, such as the right to erasure of personal data for EU residents," as well as breach notifications within 72 hours of a breach and more, he said.
The Spiceworks study also concludes that 15 percent of IT departments in the U.K., 14 percent in the rest of the EU, and 21 percent in the U.S. have no plans at all to prepare for GDPR in the next 12 months. Among those IT departments, nearly 50 percent said they aren't preparing because it's "not a priority at their organization," the study found. "Many IT professionals also don't understand the requirements while others lack the time, resources, and budget necessary to prepare."
The GDPR replaces earlier data privacy laws that were known as the Data Protection Directive. While it applies to businesses inside the EU, it also applies to businesses outside the EU if they offer goods or services to or monitor the behavior of EU residents. The GDPR applies to all companies processing and holding the personal data of EU residents, regardless of where a company is located.
Penalties for non-compliance with the GDPR are costly – up to four percent of a company's global revenue or $22.7 million for violations, such as not having sufficient customer consent to process their data and not notifying the supervising authority and users about a data breach within 72 hours. Personal data under the rules can consist of any information related to a person, including a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
In May, another Spiceworks study found that women working in IT in the U.S. have more education than their male counterparts, but are paid about six percent less than the men they work with.