What U.S. companies need to know about the GDPR

By SIPIAR Team on 10/25/2017


How U.S. companies are working to meet GDPR deadlines.
How U.S. companies are working to meet GDPR deadlines.
In a globally connected business environment, even the most routine decisions made by regulatory authorities halfway around the world can have drastic impacts right here at home. With the rollout of the European Union's General Data Protection Regulation, this fact will become even more apparent, as American companies who conduct business in Europe scramble to meet the compliance deadline of May 25, 2018.


"The GDPR sets forth several specific data security requirements for businesses."

The European Parliament enacted the GDPR in 2016 to address the growing threat of cybercrime, specifically instances of data theft enabled by carelessness on the part of large multinational companies. That's why GDPR rules will have an impact on businesses based in the U.S. but with operations within the EU.

But according to research from Gartner on corporate readiness for GDPR compliance, American multinationals are so far in poor shape. The group estimated that once the May 2018 deadline arrives, only half of U.S. companies affected by the GDPR will be in full compliance with its rules. Failure to meet these requirements could not only result in steep fines but also an erosion of trust between corporations and their clients around the world.

There is still time to kick data security efforts into high gear in order to meet the GDPR requirements. Doing so underscores why every detail in the IT asset disposition process is important, and how the enterprise asset lifecycle is entwined with long-term growth.

Here are the key points that U.S. businesses need to know, as well as action points to consider in crafting a plan for full GDPR compliance:

Who it's for

Companies subject to the GDPR include any business operating within the EU as well as those based elsewhere that process personal data for goods or services marketed to EU customers.

Why it matters

As cyberattacks on businesses become a regular occurrence, it's crucial that large organizations take data security more seriously to maintain public trust. Penalties for businesses found to be non-compliant could include sanctions and fines of up to €20 million.

What to do

The GDPR sets forth a number of specific steps that affected businesses must take, the most important of which include:

  • Appointing a "Data Protection Officer" to oversee data security and reporting efforts.
  • Establishing a uniform process to evaluate how personal data is used and transmitted, and take steps to control it with industry-standard solutions.
  • Keeping detailed and timely records of all data processing activities, including asset disposition and data destruction.
  • Regularly auditing data management protocols for vulnerabilities and opportunities to improve.

A focus on data security requires every business to construct a comprehensive IT asset disposition plan. Sipi Asset Recovery works with organizations to solve these delicate problems with proven solutions, handling every aspect of the ITAD chain of custody process with onsite services, logistics, transportation, secure data wiping and remarketing. We also provide our clients with an easy, secure web portal to view certificates of erasure and destruction as well as track their assets from start to finish.

Meeting new regulatory standards like the GDPR is difficult without a trusted partner working at your side. Contact Sipi to learn why small businesses trust us with their most sensitive data security projects.