GDPR (General Data Protection Regulation).  In some circles, it’s very much a part of the security buzz.  In others, it’s met with all the attention given to The Boy Who Cried Wolf.

One of the most common questions SMBs ask regards how it is enforced, especially given the size and resource availability of their organizations.  The enforcement mechanisms come through three avenues:

  1. Fines (EU Presence): If the company has a business presence in the EU, the enforcement mechanism is through EU courts.
  2. Default Judgments: If a company has no business presence in the EU, the EU courts can impose default judgments.  This process is similar to someone who has been found guilty in absentia by a country they have fled, but extradition agreements do not provide for the person’s forced return.  So in the case of GDPR, a company would have a default judgment that needs to be resolved before being able to do business with companies located in the EU and/or subject to GDPR.  Given the structure of GDPR’s third-party requirements, companies in the EU could be barred from doing business with these companies, which means this mechanism has a wider impact than many realize.
  3. Privacy Shield: Privacy Shield replaces Safe Harbor.  Safe Harbor was the US agreement that supported the EU’s decades old Data Protection Directive, which GDPR has replaced.  It is through Privacy Shield that US government entities, Department of Commerce and Department of Transportation, will impose penalties on US companies.  What makes Privacy Shield interesting is this: if the EU considers the US government to not be aggressive enough in enforcement, the EU reserves the right to pull out of the Privacy Shield agreement – which is reviewed and re-committed to annually.  So, there are mechanisms by which the EU can pressure the US to ensure it s enforced.

The impact on SMBs could be immediate, or it could take some time to reach them.  What is generally agreed upon is this – EU regulators are expected to be very aggressive as they begin to enforce GDPR looking for examples.  Likewise, it is expected the EU will be looking at the US to be aggressive.

Adding to this, once the large companies put the controls, processes, and technology architecture to meet GDPR in place they are scalable.  Which means GDPR compliance becomes a mechanism for large companies to put pressure on competitors. Looking into the future, it is very likely the US will see legislation similar to GDPR being enacted here.

Here’s why: 

All of the big companies will have to comply with GDPR – it’s simply a business decision they cannot walk away from. The revenue and opportunity loss from EU expansion is simply too great.  So, once the larger companies have put GDPR processes and technologies in place, it only makes sense for them to support and pressure the political system to create statutes similar to GDPR in the US.  Doing so will create barriers of entry for their competition who are not GDPR compliant, and will be presented as concern for the privacy of US citizens.  So the political pressures for privacy legislation, which traditionally come from the liberal and libertarian sides, will now include the “big-business” conservative side of the political spectrum.

If this happens, this will have impacts on SMBs as well.  So, it looks like a pretty bad bet to ignore this boy crying wolf about GDPR’s teeth sinking into SMBs. Being proactive now is not only good for your business in general, but will prevent headaches and potential financial loss in the future.

If you have questions about GDPR, contact us at info@peters.com to get in touch with one of our security architects. We are happy to help!