The EU’s incoming General Data Protection Regulation (GDPR) will become the “global standard”, an Irish expert has warned — as 100 IBM executives descend on Washington DC to implore Congress not to introduce similar rules in the US.
The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins on May 25, meaning penalties can be imposed from day one.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy.
It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
IBM bosses, who are scheduled to meet with about 200 members of Congress and staff members this week, will tell lawmakers the US needs its own privacy framework and shouldn’t adopt the GDPR.
“GDPR may work for Europe, but that doesn’t mean it should become a global standard,” Christopher Padilla, IBM’s vice president of government and regulatory affairs, said.
However, CEO of Dublin-based Ward Solutions, Pat Larkin, said the GDPR was already on its way to becoming the global standard.
Ward Solutions has been working with firms on GDPR compliance for two years yet some companies are only enquiring now, he said.
I believe it will become the de facto global standard, because it applies to companies and organisations doing business in the EU and those with EU agreements. There is significantly less awareness outside the EU and the penny still has not dropped for even many large firms. But the fact is that if you effectively accept customers that are in the EU, then you need to be compliant.
Mr Larkin said business models would have to change.
“There are still firms coming to our door, looking to become compliant. The ignorance of the law is still out there. Firms must realise business processes will need to be put in to reflect GDPR. It could potentially impede business models, no question.”
IBM is arguing the US government should instead partner with industry groups to craft a new data privacy framework “tailored to America’s needs”.
“Doing nothing is not an option,” Mr Padilla said. “But we don’t think a one-size-fits-all approach works necessarily here.”