International Companies and GDPR: Three Things to Consider

Posted 25 July 2017 3:38 PM by Nigel Tozer



The winds of change are blowing stronger when it comes to compliance and, in particular, around privacy. Regulations regarding privacy are being beefed-up globally; Australia made significant changes in 2014, Japan’s amendments landed in May and the second stage of South Africa’s PoPI will get introduced this year. The European Union’s General Data Protection Regulation (GDPR) goes into effect next May and of the bunch it’s considered the strictest. The GDPR also carries the biggest fines if you’re found to be in breach.

1. As a multinational, what should you really think about these changes - and specifically GDPR - as it covers the huge EU marketplace?

On one hand, the GDPR actually makes things easier. Instead of contending with 28 different EU privacy and data protection regulations, which vary in nature and enforcement, the ‘single market’ approach will finally apply to privacy as well. From May 2018, there will only be one regulation to consider. But the downside is how stringent the GDPR is and, of course, the risk of those often-cited huge fines. 

2. Those fines – can they really be enforced?

If you look at anti-trust cases in the past, large multinationals have actually paid some large sums to EU regulators – the likes of Intel and Microsoft, for example. For them, being stopped from trading in the EU would hurt, and that’s the position you need to consider for yourself. We will have to see where the current anti-trust case with Google goes; I expect a lengthy appeal and ultimately a lower number than the €2.4bn fine currently imposed on them; either that or a lot of people in Europe will be moving over to Bing for their searches. If your EU revenue isn’t worth exchanging up to 4 percent of your global revenue, you could withdraw from the market. You’d still have to deal with the negative media exposure, potential loss of non-EU customers and the hit from investors, of course.

3. There are benefits to becoming GDPR compliant - should you apply these standards to your global operations?

With privacy regulation on the rise around the world, making your business globally compliant to the highest privacy standard makes a lot of sense. This means you can reduce the effort required to get ready for international growth in almost any market and move faster than you otherwise could. You still need legal advice to take account of the differences by territory, but the delta should be much easier to implement than dealing with privacy from a minimum starting point. In addition to this, being publicly open with a high privacy standard could boost your standing in your domestic market; trustworthy businesses can leverage that to increase market share, and better retain existing customers.

Getting on board the GDPR train

Dealing with foreign regulations isn’t easy; despite the volume of information that’s readily available, there can also be quite a lot of opinion that can muddy the water (and especially in the case of the GDPR). The full text of the GDPR is freely available for your own legal counsel to review. The EU regional regulators have some really useful resources that include DIY assessments and have ‘getting started’ guides – the UK’s ICO is a good example. If you’ve already got a European operation, engaging with a specialist there to perform a Data Protection Impact Assessment (DPIA) at your regional headquarters is a great way to start, or contacting Commvault about our GDPR Workshop or how Commvault can help with GDPR compliance, of course. 

Whatever action you decide, just don’t leave it too late.