Even if your organization isn’t based in Europe, you may need to plan for the European Union’s latest rules on data protection and privacy. The International Association of Information Technology Asset Managers is sounding the alarm for IT departments around the world.
The clock is ticking for IT departments around the world.
Global companies and organizations that do business with countries in the European Union (EU), including those in the United States, will soon have to start preparing for the EU’s new data-protection requirements, according to the International Association of Information Technology Asset Managers.
“These are sweeping changes to how personal and corporate data is to be handled, and they have far-reaching implications for many aspects of U.S. businesses, particularly in terms of how information security is addressed,” IAITAM CEO Barbara Rembiesa said in a news release.
The association argues that American companies would do well to get ahead of the curve concerning the EU’s General Data Protection Regulation (GDPR) requirements, rather than face potential fines of billions of dollars.
What’s on the Horizon
Though enforcement of the regulation is two years away, there are plenty of tasks for businesses to tackle now in order to comply with GDPR.
“The days are long past when U.S. businesses could worry only about complying with laws and rules in this country,” Rembiesa warned. “Companies that fail to start planning now to deal with the General Data Protection Regulation requirements are going to be in for a real shock.”
Companies that conduct business in Europe or that serve European clients online will have to strengthen their data-security procedures, and that includes hiring a data-protection officer who specializes in data-protection law. There are also new consent rules for global organizations that send or receive personal information of EU citizens. End users must actively accept the terms and conditions of use of their personal data.
One other fairly significant change that could cause problems for U.S. firms is the requirement that organizations reveal data breaches within 72 hours of their occurrence. In the United States, organizations typically don’t share information about breaches until they are reported by the media.
“What is important to take away here is that any organization that processes or handles data from EU citizens must become familiar with this legislation and fully understand the impact it will have on daily business processes,” Rembiesa added.
“Should Be Treated Seriously”
“Between the sweeping scope of the GDPR and the penalty structure, this is a piece of legislation that should be treated seriously and with an eye to what it will take [to] ensure full compliance,” Rembiesa said.