At CyberCrunch™, we aim to help you stay vigilant regarding the consequences of potential data breaches that could affect your business.
This month, we’ll talk about how the upcoming EU GDPR data legislation may create challenges for your business and could expose United States companies to liability. It comes into force next month so it’s important to be aware of the consequences and solutions.
We’ll also discuss a new study, which shows that the cost of failing to comply with data legislation has risen dramatically and is significantly higher than the cost of maintaining compliance.
If you would like help or advice about the safe, secure disposal of sensitive information, or any information about recycling your electronics more generally, contact us.
EU GDPR law creates possible data disposal challenges for US companies
US businesses could be exposed to data breach liability if they are not familiar with new European legislation coming into force on 25 May 2018.
The EU's General Data Protection Regulation will bring about the greatest change to European data security in 20 years and will include tighter data laws such as “the right to be forgotten”, 72-hour breach reporting, stronger consumer consent and high fines.
The scope of the legislation is far-reaching and broadens the definition of personal data. It has taken a lot of work for European businesses to familiarize themselves with the new law.
But will US-based companies be affected if they have no direct links with any of the 28 member states of the European Union? Unfortunately, yes, in some cases they will be.
Any company that markets its products or has other links to the EU needs to be fully aware of the changes because the legislation is very likely to touch them too. This is particularly important when it comes to data disposal.
How do I know if I have an EU footprint?
To determine whether you have an ‘EU footprint’, ask yourself the following questions. If you answer yes to any of these, you need to think about GDPR.
- Do you have EU individual data?
- Do you work with organizations that have a footprint in the EU?
- Do you have suppliers, vendors or customers in the EU?
- Do you have employees, stake holders or customers that are EU citizens?
- DO you market to EU residents, citizens and visitors?
- Does your website collect cookies?
- Digital marketing, ppc, email and advertising campaigns that target EU individuals?
- Conferences, print advertisings, etc that target EU individuals?
If you aren’t aware of what’s going on, at least to degree, you could face serious fines, so you’ll need to do some homework. It’s also important to note that the UK’s exit from the EU will not affect its adoption of the new legislation.
What does GDPR mean for data disposal?
To help you get to grips with the data disposal side, we’ve put together some key points for US companies to be aware of.
- The time to report a GDPR data breach is shorter - If you suffer a data breach under GDPR guidelines, you only have 72 hours to report it. If the timing obligations are not met, businesses must justify the delays the supervisory authority.
- More individuals are responsible for your data - Previously, in many cases, the responsibility for the data lay with the controllers only. Under GDPR, processors are responsible as well. It’s important to remember, though, that the controller is liable for the actions of the processors so US-based companies, which may have an EU footprint, should choose their processors carefully.
- Anyone disposing of your data must be compliant with GDPR – If you employ another company to dispose of your data and electronic equipment, you must now ensure both parties agree that all data processing activities are compliant with the new regulations set out by GDPR.
- All personal data must be traceable – According to GDPR rules, personal data must be recorded throughout its life cycle. You also need to provide proof of how the data is being protected and where it ends up when it is disposed. The new legislation broadens the definition of personal data so it covers a lot of different types of data.
- The enforcement and fines are huge – Businesses are probably most concerned with the potential fines associated with the GDPR.
Fines for failing to follow the rules can be in the millions or even billions of dollars. Higher tier breaches could cost organizations over 20 million euros or up to 4% of their gross sales.
At CyberCrunch™, we are fully up-to-date with all the new GDPR regulations, so if you decide to dispose of your data with us, we’ll ensure you are compliant. We’ll also provide you with serialized certification of destruction for your data so you can prove where and how your data was destroyed.
If you are unsure about GDPR, or would like to know how this affects you data disposal, please contact us for more information.
Cost of data non-compliance has skyrocketed over 7 years, says report
Around 90% of US businesses believe they will struggle to keep up with Data Protection laws. But new research shows that the cost of ignoring legislation changes far exceeds the cost of maintaining compliance.
A new report from research firm ‘The Ponemon Institute’ and security company ‘GlobalScape’ shows that non-compliance with data protection legislation now costs businesses an average of $14.8 million a year, a 45% increase since 2011.
It found that the cost of compliance averaged out at just $5.5 million compared to anywhere between $2.2 million to $39.2 million for failure to comply.
On average, the cost of failing to comply with legislation was 2.71 times more than money dedicated to meeting compliance.
Some costs for non-compliance, which can be huge, include:
- Expenses associated with business disruption
- Productivity losses
- Settlement costs
How much does compliance cost businesses?
The report, “The True Cost of Compliance with Data Protection Regulations”, compared findings from 53 US-based multi-national organizations with an earlier study from completed in 2011.
It showed that businesses’ spend accounts around 14% of their IT department’s budget on compliance. The study showed that, over a year, organizations spend an average of:
- $2 million on data security
- $1.3million on compliance related technology platforms
- $1 million on incident response
- $750,000 on audit and assessments
According to the survey results, companies which conducting regular audits are able to reduce their overall compliance expenses.
It’s important to remember that compliance costs vary depending on the industry. Industries with very strict data protection laws are the most affected, such as those in financial sector, where spending on compliance could total $30.9 million a year.
Immediate steps to take to help you stay compliant
Here are some steps we advice you take right now.
- Train employees up to the standards required for legal compliance with data protection legislation.
- Make it a shared objective between workers and management to embed these requirements into every aspect the organization’s culture.
- Ensure that, when it comes time to destroy your data, you are compliant with all the latest data protection laws, such as proof of destruction.
If you would like help or advice on this topic, please contact us. At CyberCrunch™, we can help you follow all state and federal standards, and provide safe and secure recycling and data destruction to keep your customer’s sensitive information safe.