WHAT HAS THE IMPACT BEEN ON MIDDLE MARKET BUSINESSES IN THE AFTERMATH OF ‘STORM GDPR?
The vast majority of middle market companies in North America were far from compliant as the GDPR went into effect on 25 May. As recently as April 2019, the RSM US Middle Market Business Index (MMBI) survey – conducted in partnership with the US Chamber of Commerce – showed that while 78% of middle market companies expect to be affected by the GDPR or similar privacy regulations (most notably, the California Consumer Privacy Act, CCPA), only 40% understand the requirements of these regulations. While the maximum fines for non-compliance middle market companies represent a much higher percentage of revenues than for larger companies, middle market companies have often adopted a wait-and-see approach, sometimes encouraged by their regulators, on the assumption that GDPR fines would be slow to reach across the Atlantic. As 2019 rolled in, however, the Google fine made it clear that enforcement is coming against US companies and many middle market companies are finding that the real risk to their business comes from European partners refusing to work with non-compliant American firms. Together with the realisation that the CCPA is also going into effect in just a few months, the interest in complying with the coming wave of global privacy regulations continues to accelerate in North America for 2019.
WHICH OF THE GDPR PRINCIPLES HAVE BEEN MOST CHALLENGING FOR BUSINESSES?
While all the GDPR principles have proven challenging in North America, including ensuring appropriate safeguards for transferring data out of the EU, it is the constraints around purpose and storage limitation that pose the most significant challenge, as leading companies had increasingly embraced Big Data, collecting as much data as possible, and keeping it indefinitely, with the expectation that future techniques would be applied to derive value from the data. This clearly stands in conflict with the GDPR requirements. Companies have been challenged to fundamentally re-think Big Data and data retention, and devising techniques that meet the GDPR requirements.
“North American companies that have embraced compliance are finding rewards in business agreements with European partners and opening new revenue streams.”
GDPR AND FINDING OPPORTUNITY IN CHANGE
While the GDPR poses significant challenges to middle market companies in North America, forward-thinking companies have realised that it also presents an opportunity for competitive differentiation in the market, as consumers become increasingly aware of the pervasive collection and sale of their personal data. Companies that have embraced compliance are finding rewards in business agreements with European partners and opening new revenue streams. Similarly, companies that started their GDPR compliance efforts early have found they have a much easier path to CCPA compliance. In this context, truly progressive companies have opted to adopt a GDPR-like posture even when they had no legal requirement to do so, realising that this would strengthen their position in the market.
WHAT IS ON THE HORIZON FOR DATA PROTECTION?
It is becoming increasingly clear that the GDPR was part of a global wave of data protection regulations that could dwarf the efforts that companies have had to invest in cybersecurity. In the United States, the California Consumer Privacy Act was passed in June 2018 and becomes effective in January 2020, with provisions and penalties that are similar to the GDPR in scale. US businesses have been lobbying for a Federal law that will pre-empt state laws, but given the current political environment in the US, a federal law appears unlikely in the near future, which means that other state laws will continue to follow in California’s footsteps, as Vermont and Colorado have already done. Beyond North America, Brazil passed the LGPD in 2018, and many other countries have passed, or are considering, variations on the personal data protection theme. The time for smart companies to get ahead of this coming wave has come.
For more information on the GDPR legislation, and advice on any relevant GDPR training, please contact us.