How US Companies Are Becoming GDPR Compliant

Most firms are updating their privacy notices

To reduce the probability that they’ll be fined for violating new privacy laws, companies are taking basic steps to protect themselves.

In an August 2018 survey of 145 US corporate directors of public company boards conducted by BDO USA, nearly eight in 10 respondents have conducted a gap assessment and updated their privacy notices to comply with the General Data Protection Regulation (GDPR). About one-third of those polled have increased their data privacy budgets and appointed a data protection officer.

The steps that respondents are taking to comply with the GDPR are pretty small. But that may be because the sample came from US companies and the GDPR is an EU law. US companies can still be affected by the GDPR if they have EU customers or audiences. News publishers like the Los Angeles Times and Newsday have blocked traffic from the EU rather than risk being fined.

But US companies typically are not as sensitive to the GDPR as those in the EU. In a June 2018 survey of 600 IT and legal professionals by Dimensional Research and TrustArc, more than a quarter of respondents said their firms were fully GDPR compliant while just 12% of US companies said they were GDPR compliant.

Although the GDPR is a EU law, US companies probably shouldn’t sit and wait to get their data in order.

The California Consumer Privacy Act was signed into law this summer and is set to take effect in 2020. In August, Quorum Analytics analyzed the content of press releases, newsletters, social media posts and floor statements from members of Congress and found that Congress is increasingly discussing technology. And in an April 2018 poll of US internet users by Janrain, 68% of US internet users say they support GDPR-style rules in the US. These signs indicate that folks in the US are increasingly embracing technology regulation.

The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25 and states that a user’s personal data can be used only if that individual gives a company explicit permission. Companies who violate the GDPR can be fined €20 million ($22.9 million) or 4% of global revenues, depending on whichever is greater.