Time is ticking down for US-based firms to prepare to meet the demands of the EU's General Data Protection Regulation, which goes into full effect on May 25.
Although firms without a presence in Europe may think that they will not be affected by the regulation, GDPR casts a long shadow, according to David Ross, principal, cybersecurity & IT risk at Baker Tilly, during a recent webcast.
"The EU is the third largest economy behind the US and China," he said. "Europe is touching your business in some way."
The regulation's maximum fine of 20 million euros or 4% of a firm's global revenue has generated a lot of fear, uncertainty, and doubt within US-based firms.
A poll of the approximately 800 webcast participants found that the majority of their firms (58%) were not compliant but are getting closer while 28% of the respondents said that their firms still had a long way to go. Only 9% of the audience claim their organizations are compliant and 2% of those polled did not know what GDPR is.
The trouble for US-based firms is that GDPR is vague in what it covers, according to Ross.
"The biggest problem is that it is broadly written," he said. "Usually there is a regulation and the case law that comes from the regulation, but we do not have the case law yet."
However, Ross expected that most US stakeholders, complying with GDPR would be a 30- to 90-day process depending on the firm.
He also noted that preparing for GDPR is a good warm-up for other data privacy regimes that are in the pipeline.
The UK Parliament is considering a somewhat stricter regulatory framework while Latin American nations are considering adopting GDPR or developing their own version of it, said Ross. "In the US, there are three privacy bills winding their way through Congress, two in the House and one in the Senate."
Firms can leverage their experience with other privacy-related regulations, such as Privacy Shield, Payment Card Industry Data Security Standard, and Health Insurance Portability and Accountability Act, according to Ross.
"As long as firms can demonstrate they are making progress towards compliance, they should be okay," he added.