It has been over 15 years since the Sarbanes-Oxley Act (commonly referred to as SOX) expanded corporate governance requirements and demanded more corporate accountability, including personal liability for directors and officers. Although initially implementing these rules was a heavy burden on many companies, it is now an accepted part of company culture and operations for most public businesses. Of course, there are still compliance and enforcement challenges for companies and the government. However, the changes resulting from SOX are a good lesson in what we can expect with the new General Data Protection Regulation (GDPR) and perhaps a future U.S. version of the law.
When SOX was enacted, many businesses didn’t understand their requirements and spent significant resources to develop strong internal controls. Despite these struggles, companies adapted and succeeded in reducing their risks and improving their credibility, which has made many of them stronger financially. Similarly, GDPR will be a challenge to implement for many companies. In the U.S., there will be the added difficulty of having different rules for different customers. However, like with SOX, companies will see that adoption of GDPR can help them improve their business practices with better security and data management which will lead to improved customer relationships.
Over time, SOX has increased disclosure requirements and imposed additional standards related to cybersecurity. Where executives now must sign off on data retention and security policies under SOX, GDPR takes this to the next level demanding more granular regulation of data. U.S. companies dealing with E.U. customers must comply with these rules and will probably make changes to how they deal with U.S. data as well. However, even those companies that have no connection with the E.U. will need to make changes to how they manage their data. Within the U.S., data breaches and recent scandals have put greater attention on how companies protect and use customer information. There are already various federal and state laws, but they will only increase in importance and these regulations will need to become part of a company’s compliance program.
The goal of both SOX and GPDR is to make companies more accountable for their actions. With SOX, companies have changed their behavior. Companies are more transparent and are making fewer mistakes. For example, according to the Audit Analytics annual report, financial restatements continue to decline. GDPR is likely to impose liability on many companies in the beginning as they learn what it takes to comply. However, over time the new practices will become the norm just as with SOX.
New regulations are seldom easy to implement, but as shown by SOX, companies can change their practices and come out stronger for them.
If your company is not fully compliant with the GDPR or you have questions on how it will impact your business, contact CDS today for a consultation with our cross-border data experts.