By Alain Marcuse, Director of Security, Privacy and Risk, RSM US
Preparation for Storm GDPR
While the GDPR introduces significant changes for European companies, those companies have largely lived under the related provisions of the 1995 Data Protection Directive and the GDPR has been more of an evolutionary development. This has not, however, been the case for US companies, which in many cases have been in the position of having to catch up with 20 years of experience compared to their European counterparts.
The learning curve in the US has been much steeper than in Europe. Core concepts are often unfamiliar to many US companies - for example, thinking of data privacy as a fundamental individual right (instead of as a company’s assets), or understanding the distinction between US concepts of ‘PII’ (well-defined data elements of personally identifiable data) and the GDPR’s notion of ‘personal data’ (which is much broader and less defined).
In addition, US companies have had to face unique compliance challenges, notably as related to cross-border transfers, since the US is not deemed to provide adequate safeguards for personal data (except under Privacy Shield), and conflicting obligations between US state and federal laws and the GDPR, which does not recognise non-EU legal obligations. As a result of these circumstances, GDPR compliance efforts in the US have generally been significantly harder than in Europe.
Over the last year, the risk landscape for US companies has evolved and shifted in focus. While the initial concerns surrounding GDPR compliance centred on the well-publicised penalties that could be levied by EU supervisory authorities, the realisation has developed more recently that the greater risk - at least initially - for US companies lies in legal and commercial consequences of non-compliance.
Specifically, GDPR compliance is now a key element in many merger and acquisition efforts that involve a European partner, and also in commercial relationships with suppliers and customers alike. More immediate than regulatory action, the risk of deals being scuttled because of compliance concerns, or of losing customers or suppliers, are focusing the attention of US middle-market companies.