Unless you've been living under a rock for the past year, you're probably aware that the EU's new data protection regulations - also known as GDPR - are shortly going to come into force. GDPR holds organisations to strict standards regarding customer data, with harsh penalties for negligence and abuse.
It's a major issue for European businesses, and it seems like absolutely everyone is talking about it. In fact, along with the Brexit negotiations, GDPR is one of the biggest causes of uncertainty for businesses.
General Data Protection Regulation (GDPR) GDPR for small businesses: What it means for you The IT Pro view: Data protection and GDPR
As the senior vice president and EMEA general manger for a cloud storage and content management company, GDPR is understandably high on the list of priorities for Box's David Benjamin. "I personally feel that this is going to be a pretty defining moment in the industry," he told IT Pro. "It's going to be one of those 'inflection points', to use a Silicon Valley term."
One of the most significant parts of the legislation is the penalties for non-compliance. According to the law, if companies aren't abiding by the principles of the GDPR, they will be liable for up to 20 million or 4% of their global annual turnover - whichever is higher.
Despite these eye-wateringly steep fines, Benjamin says that companies are still failing to take GDPR seriously. "Customers I speak to are very aware of the impending May 2018 deadline," he said. "I don't sense, however, there is yet the movement within organisations to - and I hate using the expression - but to become GDPR-compliant. There's still an element of 'wait and see'."
This is reflected by a veritable avalanche of studies showing that companies are still unprepared for the regulations, including a new survey conducted by IT services firm Bluesource which showed that 80% of organisations will face "major challenges" for compliance when they come into effect.
US firms in particular may be caught by surprise, Benjamin said. He pointed to the Equifax breach, which has just been revealed to have affected nearly 700,000 UK citizens. "If that had happened post-May 2018, they would have been subject to a $60 million-plus fine," he said.
"It certainly hasn't filtered through to organisations that sit in the US, and don't necessarily realise that GDPR extends to all European citizens, whether they are captured in a US platform or a US-headquartered organisation or not."
The biggest problem that organisations are having with GDPR compliance, according to Benjamin, is that the regulations are vaguely-worded in a lot of places. While some elements of the rules - such as the need to appoint a data protection officer and notify users of a breach within a given time frame - are clearly laid out, many aspects have a lot of room for interpretation.
