From anecdotal evidence given by leading data protection lawyer Robert Bond, it would seem that the deadline for GDPR has sneaked up on a significant number of US organisations and caught them unawares. At a round table organised by the Direct Marketing Association at the end of April, Bond said: “Where I am seeing a lot of panic now is the overseas third-party processors who have never ever had to comply but are suddenly being caught by the fact that GDPR is extra-territorial.”
Companies have previously been in “some ivory tower” assuming the regulation does not apply to them. Bond, a solicitor and partner at Bristows, said that in just one night he had three US companies contact him asking for help, saying, “we don’t have anything in place, but we realise that it applies to us. Do you have a quick fix solution?”
“An awful lot of businesses outside the EU suddenly realised GDPR is extra-territorial."
Bond said: “There’s an awful lot of businesses out there, particularly outside the EU, who suddenly realised the extra-territorial nature of GDPR. That’s come as quite a shock and they were assuming that it’s a tick-box exercise and, of course, it is not.”
In contrast, the results of a self-selecting GDPR-readiness online test by Mailjet would suggest that roughly half of US organisations have confidence that they have practices in place that would make them GDPR-compliant.
In terms of data protection, 53% of US respondents stated that they encrypt the data that they process and 47% claim they have a warning system in case of a breach that could put customer data at risk. Exactly half of US respondents said that they ensure consent is obtained and 44% state that they make it easy for data subjects to withdraw consent. Over half (52%) of US respondents said that they ensure their suppliers are compliant.
The tests were carried out online between February and April 2018 by almost 3,878 respondents in total. Respondents from the US comprised 4% of the total and so amounted to 155 in all. When considering these results, it is worth bearing in mind that the respondents were self-selecting, coupled with a very small sample size.
However, Bond has experience of dealing with johnny-come-lately US companies as well as those that made forward-planning a priority. He spoke of a US client that prepared for the enforcement of GDPR far enough in advance that he now has time to capitalise on his company's compliance by highlighting it as a differentiating attribute.
"What has this got to do with me? I've nothing in the EU."
The representative of an aftercare sales call centre for major organisations based in Nevada was told in July 2017 by a partner organisation that if it was not compliant with GDPR by January, the partnership could no longer continue. Three months later, another partner organisation said the same thing.
This represented 50% of the company’s revenue. Bond’s client called him up and asked, "what has this got to do with me? I have nothing in the EU.” Bond responded that as the company acts for an EU customer, processing large volumes of consumers’ data, it will have to comply.
By January 2018, everything was in place for the company to be compliant. “By February, he had his lightbulb moment which was, ‘wow! I should go out and sell my compliance as the differentiator between me and my competitors.’ And he's doing it, he's winning business. That's the return on investment.”
While anecdotes and online surveys merely scratch the survey of the true picture of GDPR-readiness among US companies, they go some way illustrating the picture of what is happening ahead of this far-reaching regulation on the other side of the Atlantic.