FILE – Companies that fail to comply can be hit with potentially enormous financial penalties of 4 percent of annual revenues or $20 million euro, currently about $23 million in U.S. dollars, whichever is greater. And, yes, those fines can be assessed to American companies, thanks to numerous treaties in place between the U.S. and E.U. member states.
SALT LAKE CITY — A financial penalty of $23 million or 4 percent of revenues is one that would be devastating, if not lethal, for almost any company.
But that’s the maximum potential fine for failing to comply with a new set of rules that apply to any business, regardless of location, that handles the personal data of European Union residents.
While thousands of U.S. companies are struggling to come into compliance with the General Data Protection Regulation, and thousands more have responded by simply giving up on doing business across the pond, a Salt Lake City law firm has innovated a new piece of software that gets the job done in a matter of hours and at a fraction of the cost of doing it manually.
And the product, which has yet to be marketed, is already taking off.
“We launched in late March … and have already helped over 300 companies complete their compliance documents,” said Salt Lake City attorney Kimball Dean Parker. “Without our automated process, this is a task that can take months and cost easily over $100,000.”
For those who may not have heard of it, the regulation went into effect May 25 and is aiming to secure the personal data of European residents by requiring companies and nonprofits that handle that data to institute a suite of robust protections, including mandates to give individuals the power to see what personal data is being collected and decide whether or not it gets shared. The law applies to any entity that handles “personally identifiable information” belonging to E.U. residents, regardless of where the company or institution is located.
Companies that fail to comply can be hit with potentially enormous financial penalties of 4 percent of annual revenues or $20 million euro, currently about $23 million in U.S. dollars, whichever is greater. And, yes, those fines can be assessed to American companies, thanks to numerous treaties in place between the U.S. and E.U. member states.
Parker, who is president of Parsons Behle Lab, a newly formed subsidiary of Utah’s biggest law firm, Parsons Behle and Latimer, said the software is an adaptation of automated document processing he helped develop as part of LawX, a new legal design program at BYU’s J. Reuben Clark Law School. That application, called SoloSuite, was designed to help individuals respond to Utah debt collection complaints by walking them through a very simplified, and digitized, question-and-answer process.
Modifying that program, which Parker said was a digital embodiment of his legal experience helping clients navigate complaint responses, was simply a matter of repeating the process, but leveraging the knowledge of a General Data Protection Regulation legal expert. That person was Tomu Johnson, another Parsons Behle attorney.
“We picked Tomu’s brain and plugged it into the product,” Parker said. “But without the legalese. What we ended up with is like TurboTax for GDPR.”
Parker said he and Johnson, who is the lab’s chief operating officer, had the software, called GDPR-IQ, vetted by one of the top GDPR law firms in the E.U. to ensure their approach was on target. And, not only did it get top marks on a legal review, it’s also winning over customers with a lethal one-two punch of substantial time and cost savings.
Brent Hawkins is vice president and general counsel for Salt Lake City’s Priority Dispatch Corp., a company that develops software that works as the brains behind 911 and emergency dispatch centers across the U.S. and around the world. Hawkins said his company is doing business in 46 countries, and there was no question that getting into GDPR compliance was a necessity, but with an expected outlay of hours and dollars that was daunting.
“I researched what it was going to take, before we heard about GDPR-IQ,” Hawkins said. “If you hired a law firm, costs were running $100,000 to $1 million or more depending on the size of your company.
“We didn’t have the time or budget for this kind of thing. It would have been a full-time job for a year for a staff person … GDPRIQ saved us 90 percent, easily.”
Hawkins said completing the compliance process has made it easier to sleep at night and, he noted, it’s a necessity for reasons that go beyond the threat of deep financial consequences.
“We’ve been seeing more partner companies and new clients require proof of GDPR compliance before doing business,” Hawkins said. “The bottom line is becoming, if you aren’t in compliance, no one is going to deal with you.”
A recent Forbes article estimated that 15 percent of U.S. companies are ignorant of the need to achieve compliance, 15 percent are choosing not to, as a strategic decision, and another 15 percent are simply “retreating” from doing business in the E.U. That includes some 1,000 U.S. news publications, including papers like the Los Angeles Times, Chicago Tribune and Baltimore Sun, owned by Tronc Inc. E.U. visitors to news sites owned by Tronc are greeted with this message, in lieu of access to the online publications:
“Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the E.U. market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”
Parker noted that while companies may choose to just opt-out of doing business with E.U. customers, a very similar set of rules is already on the cusp of becoming reality in the U.S. The California Consumer Privacy Act was passed by the state Legislature in June and is set to implement in 2020. In preparation, Parker and his Parsons Behle Lab team are developing a version of GDPR-IQ that will help clients comply with the new California rules, when they go into effect.
“This is a set of regulations very similar to GDPR,” Parker said. “Our new product is under development and will, like GDPR-IQ, automate the documentation process.”
CCPA-IQ, Parker said, is set for release in October. And, he expects the national conversations, and legislative efforts, focused on protecting personal data will be ongoing.
“While the Europeans have been ahead of the U.S. in terms of data protection efforts, privacy is becoming a bigger and bigger issue, everywhere,” Parker said. “The California legislation could be the catalyst for actions in other states and the federal level.”