This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
SALT LAKE CITY — When you sit down at a restaurant, you’re not usually worried about falling ill from food poisoning. Thanks to U.S. Health and Human Services' regulations, you’re fairly confident your food was stored and prepared in a clean and relatively disease-free environment.
When you go to the doctor, you’ll take your prescribed medication with nary a qualm because you know it’s been tested, approved and deemed somewhat safe by the Food and Drug Administration.
Now think about online shopping, online banking or any other time you’ve given personal information to a website or company over the internet.
Do you know where it goes? Do you know what it’s used for? Is it stored somewhere safe and secure?
In the digital age, personal information is passed rapidly through the recesses of the internet, but consumers often know very little about the regulations companies must follow when it comes to using and storing that information.
Come May 25, however, the European Union will launch the General Data Protection Regulation — the EU's new data privacy regime that regulates companies’ access to and transfer of people’s data.
And while the regulations are targeted at the European Union, any American company that collects data from European citizens will also be beholden to the same rules.
“You could name a ton of (companies) here in the Silicon Slopes that are international companies definitely dealing with the EU,” said Jeffrey Lush, founder and CEO of BAP, an organization that aids businesses in assessing their cybersecurity health.
“They’re estimating around two-thirds of U.S. companies will be impacted and 85 percent of them will be at a competitive disadvantage if they do not comply with GDPR.”
The European Union could fine companies up to 4 percent of their global revenue for not following the new rules.
The regulations will limit the way companies deal with data, and businesses will only be able to store and process personal data with an individual's consent and for no longer than is necessary.
It will also require companies to erase personal data if a customer asks them to and report data breaches to those affected within 72 hours of when the breach is detected.
“Here in the U.S., we don’t have that rule,” Lush said. “So you see companies like Equifax, Uber, Target. These guys are holding on to cyber threats for months and months before exposing it to the public.”
(Compliance) is hard to do. It’s complicated. It takes work. But it does promote individual rights to data.
–Ryan Taylor, Domo Chief Privacy Officer
To avoid getting fined, Lush says companies will need to assess where their cybersecurity measures are lacking, then shore up those areas by creating systems that store, secure and use personal information in a way that is compliant with the new regulations.
Over half of U.S. multinational companies say the General Data Protection Regulation is their top data-protection priority and 77 percent plan to spend $1 million or more on compliance, according to a report from PricewaterhouseCoopers, the largest professional services firm in the world.
According to Lush, regulation surrounding information technology and cybersecurity is still in its infancy. It’s been frustrating, he said, to watch an acceleration of cyberattacks, especially against small- and medium-sized businesses, 60 percent of which will go out of business within the first year if they’re compromised by a cybersecurity attack.
Many companies, he said, are trying to "drive with a flat tire" and are operating with a huge gap between where their cybersecurity standards should be and where they actually are.
Yet, Lush believes the General Data Protection Regulation will set a standard for the world. Ryan Taylor, chief privacy officer of Utah tech company Domo, said he’s witnessing something similar.
“We’re seeing privacy law changes out of China, out of Japan, out of Australia,” he said. “The GDPR really is the model for the rest of the world. The U.S. is really one of the few countries not going down this path of comprehensive federal regulations that protect personal information. We need to deal with the GDPR … and work towards compliance.”
Domo, he said, began working towards compliance over a year ago in preparation for the May 25 deadline. While large enterprises may be spending significant amounts of money on compliance, a smaller company like Domo is mainly reallocating limited internal resources to come up to speed, he said.
"It is hard to do. It’s complicated. It takes work. But it does promote individual rights to data," Taylor said. “If I were to make a recommendation to someone else who hasn’t started (becoming compliant), I’d say, ‘Get started right away.' It’s not too late to do something.”