Privacy protection is about to change.
Starting on Friday, May 25, the European Union will be enacting the General Data Protection Regulation. This regulatory action could change the way that companies operate globally. The GDPR requires companies to clearly outline where consumer data will be used and also ensures that the data will not be used for inappropriate purposes.
"Investors need to inspect their current and future investment portfolios for GDPR compliance, as negligence could impact their pocketbooks. Just this morning, right before the GDPR deadline, the University of Greenwich was fined £120,000 [$161,000] by the U.K. Commissioner for a data breach. This is relatively small compared to the 4% of total revenue that will be exercised beginning May 25, but a great example of what's to come. The reality is that most organizations have chosen to do nothing or are now in panic mode trying to understand GDPR compliance. So as an investor, I recommend asking GDPR-related questions as part of the normal investment process now and moving forward," said George Gerchow, chief security officer at Sumo Logic Inc.
Experts say that there are two main worries when it comes to GDPR. The steps that the company is taking in order to respect GDPR and whether the company will respect the regulation, which means avoiding the hefty fines threatened by the EU.
"One of the biggest risks investors should worry about when it comes to the GDPR is the heavy fines and sanctions that could be imposed if an investor is determined to be non-compliant. The fines can consist of up to €20 million and regulators could issue warnings or even permanently ban non-compliant potential investors. In addition, GDPR still contains many uncertainties, making it difficult to ascertain whether one is considered non-compliant. This ultimately requires investors to be ultra vigilant when accessing potential client data," said Jeffrey Frankel, vice president of marketing for Traliant LLC.
In order to better understand the legal repercussions that companies face if they ignore the fine, Kevin Kish, privacy technical lead of Schellman & Co. broke down the legal issues.
"The GDPR classifies the legal entities who are liable for compliance and subjected to the regulation's fine structure as an 'undertaking.' An undertaking could be an independent organization, but may also be a group of enterprises (or group of undertakings). Since a group of undertakings who are engaging in joint economic activity can be classified as one 'undertaking,' this has broad implications for multi-structured organizations. Where investors aren't aware of or concerned with the lower revenue-generating entities and their information security and privacy programs, a breach affecting that entity could, in certain circumstances, subject the entire group's revenue to the 2-4% fine requirements," said Kish.
Andrew Burt, chief privacy officer and legal engineer for Immuta Inc. believes that the GDPR presents a risk to companies that operate in the EU. He also said that "it might be a wild ride" to start off, but that market research has shown "that companies that respect regulations have better stocks."
But, investors may not have to worry too much about GDPR.
Shone Anstey, executive chairman at Blockchain Intelligence Group, theorizes that some companies might move their data out of the EU. He says that he's already started seeing some companies outsource to countries such as Singapore.