The New England Accounting Advisor

The European General Data Protection Regulation (GDPR) might be ushering in a new age of cyber regulations. In establishing parameters for how customer’s sensitive information should be protected and communication standards for communicating a breach, the GDPR has raised the level of awareness of cyber laws and protecting personal information. 

It has also sparked similar laws at the state level in the U.S. New York and California have both written into law cybersecurity measures that may be used as a template for other states or even broader initiatives to regulate the protection of digital information. The following provides a closer look at what the GDPR, California, and New York’s laws entail and their potential for broader application.

One of the biggest stories in cybersecurity over the past year is the European Union’s new data protection measures. The General Data Protection Regulations (GDPR) took effect on May 25, 2018, and applies to any company that collects and/or processes data from individuals residing in the EU. GDPR comes with steep penalties for noncompliance, including fines of up to 4 percent of global revenue, or sanctions preventing companies from continuing associated operations. Following the guidelines in the GDPR has understandably been a top concern for many organizations.

May 25 has come and gone, and the compliance clock is ticking for the European Union’s new privacy standards, knowns as the General Data Protection Regulation (GDPR). Private equity and venture capital firms with European investors, employees, and clients need to be sure that they meet GDPR requirements or else they risk significant penalties. Fines for noncompliance with GDPR may be as steep as €20 million or 4 percent of global revenue, whichever is greater.

May 25 has passed and no one has knocked on my door asking about my GDPR compliance. In fact, I know of many companies worldwide who have yet to begin working towards GDPR compliance. So if nothing has happened to them or me, why should I care now?

This is the question on the minds of many companies all over the world. Leading up to the implementation of the regulation, the General Data Protection Regulation (GDPR) loomed with the threat of hefty fines, but now that it is law, we have yet to hear about significant action being taken against non-compliant companies (as of the publication date of this article). While some of these companies are in a lower-risk scenario as they do not have European Union (EU)-based employees nor do they directly market to EU persons, anyone with personally identifiable information (PII) of EU-based individuals has some level of risk exposure.

Time is running out for companies to make significant changes to their data policies. But the biggest problem isn’t finding the time to make the changes before they go into effect; it’s the fact that many organizations don’t know the new rule applies to them.