The International Association of Information Technology Asset Managers (IAITAM) has claimed that the thousands of American companies doing business with Europe either directly or online will soon have to pay attention to newly enacted data privacy regulations introduced by the European Union this month.
Changes are not expected take full effect for another two years, with many experts insisting there will subsequently be plenty of time for companies on both sides of the Atlantic to get a thorough and detailed understanding of the new rules.
The changes are set affect some key areas of how American companies handle data security. For example, when companies find themselves on the receiving end of a data breach will be required to report the incident within 72 hours of it being discovered. Under US law, many American companies only choose to report a breach when the news is leaked to the public or the media.
It means many companies will have to demonstrate a willingness to take the issue of data security seriously and will have to appoint a data protection officer (DPO) with an expert knowledge of data protection law and the practices needed to fulfil certain tasks.
American companies dealing in Europe will also need to show extra care when dealing with the data of Europeans as any transfer of personal data carried out on an intercontinental basis. The upcoming General Data Protection Regulation (GDPR) will apply to any company that is either handling the data of EU citizens or is receiving any third-hand information.
Sweeping changes ahead
Consent is another large affected area, with data controllers now required to give proof that information has been gathered using methods that have obtained the subject's consent. Whereas before the mere use of a certain service by an end-user would have been enough to establish consent, there will now need to be sufficient terms and conditions put in place that will need to be explicitly agreed to.
IAITAM's chief executive officer Barbara Rembiesa, said that American firms need to ensure they are aware of how far the new measures will go, while also understanding the potential consequences that will arise without compliance.
She said: “These are sweeping changes to how personal and corporate data is to be handled and they have far-reaching implications for many aspects of US businesses, particularly in terms of how information security is addressed.
“The days are long past when US businesses could worry only about complying with laws and rules in this country.
Companies that fail to start planning now to deal with the General Data Protection Regulation (GDPR) requirements are going to be in for a real shock.”
That shock could come in the form of a significant legal or financial penalty, both of which will potentially await organisations that fail to adhere to the new rules, and could even come on top of any current legislatory punishments. As a result, the IAITAM predicts the potential monetary penalties could even run into the billions.
“Between the sweeping scope of the GDPR and the penalty structure, this is a piece of legislation that should be treated seriously and with an eye to what it will take ensure full compliance", Ms Rembiesa added.
Data security landscape becoming more complex
The complexity of the data security landscape is set to be taken to another level on both sides of the Atlantic, meaning that it could be a real challenge for the authorities to keep up.
The dawning of the Internet of Things (IoT) means that almost every item of hardware both in the home and at work will soon be connected, meaning that data and personal information will be more ubiquitous than ever before, presenting fresh challenges on how to protect users.
As part of the GDPR the European Parliament has already unveiled new laws aimed at helping to protect the privacy of drivers, amid a significant increase in the connectivity of company cars and vans.
Again, there will be a far higher standard for consent, while any firm caught falling short of the rules will be heavily fined.
“Individuals must be empowered; they must know what their rights are and know how to defend their rights if they feel they are not respected,” said Frans Timmermans, first vice-president of the European Commission.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all.”