The new GDPR (General Data Protection Regulation) is less than 90 days away and it’s estimated that only 21% of U.S. businesses have a plan in place. That means 79% of U.S. businesses haven’t figured out how they will report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments (PIAs) and more. If you are one of those businesses that haven’t put a plan in place because you don’t think the new regulations apply to you in the U.S., you’re wrong.
As the new regulation states, any company processing, storing or using data related to an EU citizen will be subject to citations and accompanying fines for noncompliance — even if it’s just one customer. That’s right, there is nowhere to hide. If your organization manages data that involves even one EU citizen and you don’t properly comply with the new GDPR, you can face fines up to 4% of your global revenue (up to £20 million).
The threat of stiff penalties has forced tech giants like Facebook to hire additional personnel to decipher the regulation’s many layers and ensure they’re fully compliant.
AWS, Amazon’s secure cloud server platform, says that it welcomes the GDPR. On top of its own compliance, the computing/storage giant created a new data processing agreement (GDPR DPA) available to all its customers and offers additional resources to help them comply with specific requirements. Among the multitude of product and service updates Google must make, it has already amended its terms and conditions for AdWords Customer Match and AdWords Store sales. The tech behemoth urges users to log in and accept the “new data protection terms related to the EU General Data Protection Regulation (GDPR) and other EU privacy frameworks,” as soon as possible so their paid ads remain eligible to serve.
But what about the 79% of companies who have no plan?
Compliance will vary by company and industry, especially for those operating in new technology markets. Cryptocurrency is one of the newest and most unregulated commodities. In response to the current cryptocurrency craze, high-growth currency exchanges have erupted around the world. Anonymity is at the core of decentralized transaction processing and the underlying blockchain technology on which cryptocurrency was built. Cryptocurrency was designed to be decentralized, operating outside current financial regulations like those enforced by the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC). However, cryptocurrency companies can still be fined millions for GDPR noncompliance.
The GDPR assigns distinct titles to organizations based on the way they collect and use data. Under the law, organizations are labeled as either “controllers,” “processors,” or both. However, blockchain transactions are conducted peer-to-peer and the system itself acts as a shared public ledger, so identifying “controllers” and “processors” is difficult. Fulfilling regulatory requirements like consent, as defined under Article Seven of GDPR, may pose particular issues for cryptocurrency exchanges and networks.
At first glance, some U.S.-based cryptocurrency exchanges like Coinbase and Kraken haven’t released any collateral to suggest they’ve made efforts toward GDPR compliance. Such rapidly growing companies could be focusing resources on scaling their business, making the GDPR a lower priority. That being said, come May 25, digital currency exchanges could be an easy target for the EU Parliament, whether they are prepared or not.