Over 90 Total Lots Up For Auction at One Location - WA 04/08

Are U.S. healthcare companies ready for GDPR?

June 08, 2018

According to the GDPR website itself, fines administered for noncompliance and the amounts levied depend on 10 key criteria: the nature of infringement, intention, mitigation, preventative measures, history of violations, level of cooperation with the supervisory authorities, data types, notification, data protection certifications, and other. Infractions that are considered “lower level” violations, such as not having data records in order, failing to notify the supervisory authority and data subject about a breach, or not conducting privacy impact assessments, are subject to up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher. Infractions that are considered “upper level” violations, such as violations of basic principles related to data security and conditions for consumer consent, violations of data subject rights, and transfers of personal data to third parties or international organizations that do not ensure an adequate level of data protection, are subject to up to €20 million penalty, or 4 percent of the worldwide annual revenue, whichever is higher.

In addition to the above findings, 39.7 percent of businesses responded that they lack regulatory understanding, which is holding them back from working toward meeting the data protection standards. The EU has yet to issue official assessment criteria and thus, increases difficulty for businesses to implement a solution when there is no telling how regulators will officially evaluate them. In the same survey, 36.8 percent of businesses said their lack of budget was a factor in compliance failure, while another 33.8 percent noted low brand visibility, concluding they feel safer as a small company that may not be targeted as easily. Additionally, 27.9 percent of businesses said they were unconcerned with being GDPR compliant. Respondents did not report whether they were unconcerned due to lack of understanding, lack of threat, or lack of business presence in the EU.

The topic of data privacy and protection is not a new one for those living within the EU. The GDPR actually replaces a similar directive that was put into effect in 1995 when the internet was gaining tremendous attention while increasing further in its consumer usability. Since then, the way that web giants such as Google and Amazon utilize their customers' data has become so complex in nature that customers oftentimes don’t realize what personal information has been stored. The GDPR differs from privacy regulations in the United States as the American approach to information privacy is comprehensive in nature.

You Must Be Logged In To Post A Comment