The ongoing reform in cross-border data sharing is an effort to better protect citizen data, guard national security interests and boost local economies. These are all positives that are long overdue. However, in this rush to update how personally identifiable information (PII) is handled within each geographic region, international business strategies and processes are being called into question.
For example, cloud computing is an established part of the enterprise IT landscape, and adoption is expected to continue rising over the next decade. Businesses rely on SaaS and cloud-based storage to streamline efficiencies and collaborate easily. But the shift to mobile and cloud-based computing platforms adds complexities to the proper control of data flows. This makes complying with privacy regulations extremely challenging.
To gain a clearer perspective on the current climate regarding the data privacy rights movement, Ovum Research recently conducted a survey of more than 300 international IT decision makers. The results reveal a disturbing worldwide trend: many of the enterprise leaders surveyed are confused about how these new regulations apply to them and are woefully unprepared for the significant consequences of failure to comply.
Here are three key ways this new reform, happening on a global scale, is negatively disrupting U.S. enterprises.
1. The U.S. is number one – in mistrust
The Ovum survey confirms it: the Snowden Effect is real, and it’s harming U.S. businesses that operate overseas. The U.S. is ranked as the “least trusted” country and the most likely to gain unauthorized access to sensitive information among 20 industrialized economies, with China coming in second and Russia third.
Further, as new regulations driven by this lack of trust are set to pass, they may put U.S. companies at an even greater disadvantage. Of the leaders surveyed, 63 percent of respondents believe that the proposed EU General Data Protection Regulation (GDPR) will make it more difficult for U.S. companies to compete globally; 70 percent said they expect the new legislation, which is likely to pass before the end of 2015, will favor European-based businesses.
2. Poor security practices generate pessimism
While some organizations are aware of data privacy as an issue, many struggle with how to ensure compliance with pending regulations. Most egregiously, they have little control over data that might be leaking outside of the company, which puts them at tremendous risk of violating new privacy laws.
Even more daunting: many leaders aren’t taking advantage of available technologies that can help them protect sensitive data and comply with new regulations. Only 44 percent of survey respondents said that they currently monitor user activities and provide alerts to data policy violations, and only 53 percent classify sensitive information to align better with access control technologies. Almost half (47percent) indicated that their organizations have no policies or controls limiting employee access to consumer-grade cloud storage and file-sharing systems.
3. Failure to comply means a diminished bottom line
Distrust, confusion and pessimism are bad for business, but not as bad as direct hits to a company’s operational budget. Two-thirds of IT decision makers surveyed expect the new regulations to force changes in their European business strategy. And as we all know, operational changes don’t come free.
U.S. firms that have not properly prepared for data privacy reform are facing stiff fines and are well aware of what that will mean for their operating budgets. When asked about the pending GDPR, 52 percent of respondents said they think it will result in business fines for their company. More than 70 percent of respondents admitted that they expect an increase in spending due to data privacy regulations, and 30 percent expect budgets to rise by more than 10 percent over the next two years.
The data sovereignty revolution, while necessary, is shaping a fragmented, mutually hostile landscape that leaves U.S. businesses exposed and scrambling to understand their responsibilities. In this new world, we will see different jurisdictions imposing inconsistent and often incompatible mandates for how PII is stored, processed, accessed and shared.
As this sobering research shows, there is plenty of confusion and uncertainty to go around. During this transitional phase, businesses have fundamental questions going unanswered, such as how to interpret data location requirements. Organizations need technology options and subject matter experts so they can properly prepare for a rapidly changing regulatory environment.
Ronald W. Hovsepian is president, CEO and director of Intralinks, a global supplier of secure collaboration solutions for highly regulated industries. Previously, Ron served as president and CEO of Novell, Inc. Before that, he held management and executive positions at IBM. In addition, he served as managing director with Bear Stearns Asset Management, a technology venture capital fund, and managing director of Internet Capital Group, a venture capital firm. Follow Ron on Twitter.