May 19, 2020

10 reasons why North American companies should care about Europe’s GDPR

Data Privacy
Philip Higginbotham and Philip...
6 min
10 reasons why North American companies should care about Europe’s GDPR

As of May 25, 2018, the European Union’s Global Data Protection Regulation (GDPR) data protection law extends to all companies processing data of EU residents, including businesses based in North America. GDPR creates a new set of digital rights that puts the consumer in control of their personal data. The comprehensive mandate requires more than just managing a customer database. Information in marketing, human resources, IT and supply chain may also be affected. And with significant fines for non-compliance, GDPR cannot be ignored. In this article, we have summarized 10 common myths about GDPR to help North American business leaders understand how the regulation impacts them.

1) GDPR doesn’t apply to North American companies

Yes, it probably does. If your company does business with European citizens, you need to pay attention to GDPR. Did you have an Austrian citizen purchase a ticket and travel on your airline? Did you have a German citizen book a hotel through your website? Do EU citizens order merchandize from your company website? Did your hospital treat a Belgium citizen visiting the U.S.? Do you have suppliers based in an EU country? If you answered yes to any of these examples, GDPR may apply – no matter where the transaction happens.

2) We look at the GDPR fines as a cost of doing business in Europe

The EU Parliament made non-compliance an expensive proposition. There are 37 finable articles and companies can be fined a maximum of up to 4% of their annual revenues or €20 million (approximately $25 million USD) against each article. There is a tiered approach to fines so the maximum penalty may not apply to the first violation. However, if a company repeatedly ignores GDPR regulations, the fines will be substantial and the local Data Protection Authority can suspend a company from data processing.

3) We don’t have any EU residents in our customer database

GDPR applies to both structured and unstructured data, which means it affects more than just traditional databases. Unstructured data includes emails, photos, word processing documents, presentations, webpages and video files. It is also information that does not traditionally reside in a row/column format. Experts estimate that 80-90% of data in any organization is unstructured. And unstructured data usually grows exponentially when compared to the growth of structured databases.

See also:

4) North Americans aren’t as worried about protecting their data

Customers care about their data. In the U.S., 59% of internet users said their most concerning issue about their online usage is cybercrime such as having money or personal information stolen. Data and privacy breaches cause a lack of trust between you and your customer. Under GDPR, you can only collect the information you need to complete a transaction. Consumers can request to see the details you have on file and correct any mistakes. They can also ask you to transfer data to another organization under certain conditions. GDPR puts control of personal data in the hands of the consumer.

5) Companies outside the EU can wait to report a data breach

In 2017, Equifax security systems were compromised and their database breached. It is estimated that the names, addresses, Social Security Numbers and credit card numbers of more than 140 million Americans were accessed during the attack. Equifax waited six weeks before it reported the breach and the extent of the data accessed may never be known. Under GDPR, a company has 72 hours to report after a breach has been detected. In fact, the Data Controller has a legal obligation to notify the authorities within this timeframe. Companies are also required to notify people affected by the breach. The most fundamental principle of the GDPR is the obligation to process personal data “lawfully, adequately, accurately and securely.”

6) As long as we don’t have a person’s name, we can collect information on EU citizens

GDPR expands the definition of personal data and a person’s name is not considered the sole identifier. Photos, medical records, financial status, fingerprints, banking details, social media posts and more can be used to identify a person. It can relate to a person’s personal or professional life. If you are collecting information on EU citizens that could be used to identify them, you need to comply with GDPR.

7) We made the font size bigger on our consent form

There are no more “tick” boxes on lifetime consent forms. GDPR strengthens the condition of consent in favor of the

consumer. The days of small type and scrolling through a massive amount of text are gone. Companies will no longer be allowed to use consent forms filled with legal jargon that is incomprehensible to the average person. The request for consent must be in clear and plain language in a format that is readable. For sensitive personal data, only the “opt-in” option will be considered sufficient for consent.

8) The “Right to be Forgotten” will just mean we delete a record

Under GDPR, consumers are given control over their data and this includes being “forgotten” by a company. However, depending on how you use the data, simply deleting a name may not be enough to get rid of all the identifiers or may impact other data in your systems. The right to be forgotten needs more planning than a delete key.

9) We can wait to appoint a Data Protection Officer (DPO) once we have a breach

While not every company requires a DPO under GDPR, it is recommended they are appointed as quickly as possible. It can take up to one year to perform data analytics and review culture behavior to drive process change in most large organizations. The DPO required under GDPR is a serious position and can either be an employee or third-party contractor. They need to have expert knowledge on data protection law and practices, must have appropriate resources to do their job and keep up-to-date on security, report to the highest level of management and not have any conflicts. They also need to maintain a Data Protection Register and report all data breaches.

10) Our IT department will figure it out by the deadline

GDPR affects more than just your IT department. It impacts business processes across an organization. Business change is going to be part of becoming GDPR compliant. According to Dimensions Research in 2017, 61% of U.S. privacy professionals have not begun their GDPR implementation and 98% say they require additional investments to comply. The same survey showed that 23% of large U.S. companies expect to spend more than $1M to comply with GDPR. It is a significant investment of time, resources and budget and it cannot simply be handled by IT. GDPR is about establishing good data privacy practices.

Written by Philip Higginbotham, Principal – Insights & Data Practice at Capgemini and Philip A. Jones, North America GRC Practice Leader – GDPR COE at Capgemini

Share article

May 15, 2021

M&A activity key lever for future tech sector growth

Kate Birch
2 min
With M&A activity in the technology sector soaring, dealmaking is likely to be the key lever for growth as businesses look to recover post-pandemic

Despite the continuing uncertainty of the pandemic, the tech sector has witnessed soaring dealmaking activity over the past year, rocketing in the second half of 2020, with the last quarter of 2020 a record one for M&A activity, and momentum continuing into 2021.

Dealmaking in tech sector soars in past year

And the latest figures bear this out with the number of technology M&A deals totalling US$208.44bn globally in Q1 2021, according to GlobalData. While the US holds top spot both in volume of deals (1034) and total value (US$140.61bn), Europe ranked next with 649 deals (US$44.49bn) with the UK continuing its reign as Europe’s biggest M&A market with 204 deals.

In particular, megadeals – those valued at US$5bn or more – soared in 2020 representing 59% of all global technology sector deal value in 2020, up from 47% in 2019, according to the latest edition of the EY Technology Global Capital Confidence Barometer.

This tech sector trend towards megadeals is backed up by EY’s CCB data, with 16% of tech sector respondents planning to pursue transformative deals valued at US$5bn or more in the near-term.

While technology deal activity “all but stopped at the beginning of 2020 after fluctuating between historic highs and lows, companies pivoted quickly and tech M&A exploded in the second half of the year”, says Barak Ravid, EY Global TMT Leader for Strategy and Transactions. 

M&A activity level for tech sector growth

Looking ahead to the future, technology executives are optimistic, with nearly half (47%) expecting profitability to fully rebound this year, according to CCB data, compared to 23% across all sectors, and with more than half (51%) planning to pursue M&A in the next year in order to sustain growth.

According to Ravid, M&A activity is increasingly becoming a key lever for growth as businesses look to recover.

“To position themselves for future revenue growth, tech companies are now adjusting their M&A strategy to focus more on a target’s business resilience, digital technology alignment and to gain market share through consolidation,” says Ravid.

However, with an increasingly competitive deal market and ongoing geopolitical tensions, the majority of tech execs expect to see more competition in the bidding process for assets over the next year, primarily from private capital.

Share article