Several months before I attended a Data Protection meetup in NYC, I had seen flashes of the acronym “GDPR” on LinkedIn posts, primarily from my European network. Largely driven by curiosity - what exactly does GDPR stand for, what are the implications of it and what does the inside of an AWS Pop-up Loft look like? – I attended a meetup hosted by AWS New York in mid-March led by Justin Antonipillai, CEO of

My first misconception of GDPR was this was an issue contained within Europe. This was quickly addressed in the opening minutes of the event as being wildly incorrect. During the course of the meetup and through independent research afterwards, I learned that the May 25 enforcement of the General Data Protection Regulation (GDPR) would affect anyone in the US who offers services in Europe regardless of whether it holds assets in the EU, from start-up vendors to enterprise end users. It didn’t discriminate against industry or size of organization and there would be no delay in implementation.

So one day away from the enforcement date, what does this mean? 

For the US, which historically hasn't had an all-encompassing data protection law, the enforcement of these frameworks is now a commercial issue for organizations handling the personal data of European citizens. Take, for example, a San Francisco based start-up security vendor that develops products. In an effort to promote transparency, this company will need to follow GDPR standards like adhering to the Privacy by Design framework, making sure that existing implementations are compliant and administering Privacy Impact Assessments. 

Successful implementation of these measures requires a workplace and senior leadership team that is privacy-conscious. Whether an organization chooses to go externally or looks to build an in-house team of privacy and data protection specialists, I have found that several of my clients have begun asking for candidates, from product engineers to sales folks, to possess an understanding of the policy and legal frameworks in the industry.

Through every candidate and client conversation I have, I’m learning more about the potential effects of GDPR on businesses across the US.

The message I have received across the board is almost shockingly simple: the companies that have nothing to sweat about are those that took the time to understand the regulation early on, determine the prerequisites to be compliant and have at least attempted to implement them. 

If the Forbes statistic is true that only 21% of US businesses had a plan in place to tackle GDPR, 90 days before the implementation date, it seems like full understanding of GDPR compliance will be a steep learning curve not only for myself but for most companies across the US. 

(Also, in case you were wondering, the AWS Pop-up Lofts are every bit as cool as people make them out to be).

I am always looking to expand my knowledge in this industry and as such, I’d love to connect with thought leaders with an interest in this issue and more, so do let me know your thoughts.