A roadmap to GDPR for US companies #1

This post represents the first in a series intended to build a roadmap to GDPR compliance for US companies. We will be taking a deep dive into many important aspects of the law, for example, the crossroads between GDPR and EU-U.S. Privacy Shield, understanding conditions of consent, looking at extra-territorial applicability considerations, the right to be forgotten provision and what it means for data retention policies and storage systems, to name a few.

Through an examination of the most confounding parts of the regulation we hope to build a practical roadmap that provides insights based on reliable research, qualified advice from experts with wide-ranging skills who understand the provisions of the regulation, can assess risk and remediation strategies and from technologists with broad knowledge of proven tools designed to help you succeed with your GDPR challenges.

It is essential to the success of the series that we address each topic based on a semi-structured format. Start with examining a particular provision, explore its implications for noncompliance, take the next logical step and suggest practical approaches and methodologies for mitigating exposure, and finally identify resources and technologies.

Like any roadmap worth its salt it must be up-to-date and provide the ability to warn drivers of changing road conditions well in advance of their destination. That said, we actively seek input from qualified individuals and organizations wishing to participate in this forum, and urge you to suggest topics of interest along the way.

Let’s start our roadmap by taking a bird’s eye view of the landscape and current conditions.

General Data Protection Regulation (GDPR) is the new law enacted by the member nations of the European Union which becomes effective May 25, 2018. It is arguably the most comprehensive legislation ever passed, giving the individual EU citizen a powerful new tool to effect control of: Who – What – Where – How his or her personal information is collected, shared, stored and used.

52% of US companies possess data on EU citizens (1), thus making them subject to GDPR. Research sponsored by Dell and conducted by Dimensional Research published in September 2016, notes that companies with between 100 – 1000 employees represent the largest group (32%) to be affected, companies between 1000 – 5000 employees represent (29%), more 5000 employees (21%), and the < 100 employees group represent 18% of companies affected by GDPR.

Noncompliance has a direct cost: Failing to comply with GDPR can lead to a fine of up to 4% of worldwide turnover or 20 million euro (2). Stick around for this deep dive, coming soon, it should provide for a lively discussion!

Track your progress against the adjacent timeline to assess your organization’s position as May 25, 2018 approaches.

If you are on track, or ahead of schedule then you are in a small but highly commendable minority representing approximately 6 to 10% of US companies, and your participation is certainly welcome in this forum.

But, whether you’re a little bit behind schedule, or just getting started you fall into the vast majority of US companies regarding GDPR preparedness.

Don’t panic just yet. We encourage you to stick around, participate with us and are buoyed by the opportunity to provide meaningful insights and practical solutions.

Our next post takes a deep drive into the Consent provision of GDPR. Again, we encourage your continued engagement and participation.

Thank you.

D. Scott Clark, CPU-Group, LLC
Jacek Wróblewski, C&F


(1) C. (n.d.). Unprepared for GDPR? Retrieved July 23, 2017, from http://resources.compuware.com/unprepared-for-gdpr
(2) How to get ready for the GDPR – Capgemini Worldwide. (n.d.). Retrieved July 23, 2017