The past month has delivered a renewed focus on protecting personal data, thanks to Facebook drawing all sorts of flak for how it managed people’s sensitive information.
So European Union regulators might be patting themselves on the back for their new General Data Protection Regulation, a set of data-handling rules due to take effect on May 25.
Below are five things to know about GDPR, which has been making American companies — including Facebook FB, -0.65% — change how they do business.
In January, Facebook COO Sheryl Sandberg said the company was trying to make it easier for the social network’s users worldwide to manage their privacy before the wide-ranging EU law kicks in.
In recent weeks, the social-media giant has been enduring a firestorm and stock selloff after data-mining company Cambridge Analytica reportedly used the personal details of up to 87 million Facebook users without authorization.
1. No EU operations? GDPR still may apply to you
U.S. enterprises may be making a big mistake if they react to GDPR with a Gallic shrug.
All companies, government agencies and nonprofits that interact with EU residents are subject to the new law, according to security experts from consulting firm RSM.
“Many organizations underestimate the amount of EU data they hold and, therefore, may not understand the legislation’s potential effect,” wrote RSM’s Daimon Geopfert and Alain Marcuse in a column published by the Boston Business Journal.
“For example, banks, hospitals, hotels and other organizations that hold data from EU residents are subject to the GDPR.”
2. Failure could mean sizable fines
The law promises hefty fines for companies that fail to notify authorities of breaches within 72 hours.
The maximum fine would be up to 4% of annual sales or 20 million euros ($25 million), whichever is higher, noted Jefferies analysts in a recent report. Companies also would have to alert affected individuals within 72 hours, in certain cases.
That means, for example, that Google parent Alphabet GOOG, +1.16% GOOGL, +1.08% — with its $111 billion in annual revenue — potentially would face a fine of $4.4 billion if it were ever found to have run afoul of that rule.
3. Three overall goals
GDPR has three goals, according to Qualsys, a U.K. provider of software products that tackle governance, risk and compliance issues.
Alex Pavlovic, a Qualsys exec, laid out those aims as follows in a recent blog post for his company:
• To unify and strengthen the protection of personal data for EU citizens
• To give EU residents greater control of how their data is stored and used
• To control how personal data is exported outside the EU
4. There’s a lack of readiness
Companies aren’t that prepared for the new rules, even though they’ve had many months to get ready, if British businesses are any guide.
GDRP was approved by EU lawmakers in April 2016.
Every company trying to get ready for GDPR right now: pic.twitter.com/fYpTIBhTIv
— Rian van der Merwe (@RianVDM) January 31, 2018
“Despite being aware of GDPR, only 37% of boards reported being aware of the GDPR requirements for their business,” said Jefferies analysts.
They were referring to results from the U.K. government’s 2017 Cyber Health Check survey, which was published in August . It targeted the FTSE 350 NMX, -0.08% , an equity index made up of the 350 London-listed companies with the largest market values.
“Only 6% of boards describe their businesses as completely prepared to meet the requirements,” the analysts added.
While the U.K. plans to exit the European Union eventually , due to the country’s June 2016 vote in favor of “Brexit,” analysts have said British companies shouldn’t think that they’re saved from the new EU rules.
5. GDPR could mean a boost for one insurer’s stock
The insurance industry could experience a material increase in demand when companies begin to assess their GDPR requirements,” the analysts wrote.
The British company is known for its Beazley Breach Response product, which is largely pitched to small- and medium-sized U.S. businesses and helps with conducting an initial probe, sending notifications to affected individuals and more.
This is an updated version of a story that was first published on March 21, 2018.