On May 25, the EU GDPR went into effect. Prior to this day, there was much speculation as companies prepared for the rigors of this new privacy regulation - would companies be prepared? Would regulators? How would the public react?
Now that this sweeping regulation is in effect, the privacy profession is experiencing a bit of a wait-and-see moment. We could all benefit from greater clarification as to how enforcement of the GDPR will unfold. This will take time and will likely require further guidance from regulators, along with observing and learning from how the regulation is enforced by member states. One of the most nerve wracking experiences there can be for a privacy professional may very well be the most illuminating about GDPR: experiencing and surviving an enforcement action.
In the meantime, what has this new regulation meant for US multinational companies? It depends. Are you a glass half full, or glass half empty type of person?
Glass Half Empty: US organizations view GDPR as bringing overreach and complexity
In the US, the GDPR has been perceived by many organizations as an overreach by European regulators, with a complicated tangle of articles that could potentially result in heavy-handed fines and enforcements. While US companies have long been accustomed to a complicated patchwork of regulations – federal privacy laws such as HIPAA and GLBA are often layered with each state’s specific data privacy and breach notification requirements – the way privacy is framed by GDPR is a stark departure from the status quo. As a result, some organizations have been less than eager to embrace GDPR compliance standards.
For example, executives with IBM used the weeks before the GDPR’s effective date to meet with congress and urge lawmakers to consider alternatives to the new regulation, arguing in a company blog post that they “do not believe that GDPR should be simply grafted onto privacy systems where its relatively prescriptive approach may not work – particularly in the United States.”
Google and Facebook (along with Facebook-owned companies Instagram and WhatsApp) were hit with privacy complaints within hours of the GDPR going into effect, and given the potential for fines up to €20M or 4% of an organization’s total worldwide annual turnover, whichever is higher, these organizations could stand to lose billions if regulators agree with the complaints. This is also just the beginning of the complaints we can expect to see. According to the Data Protection Commission (DPC), between May 25 and May 31, the organization received around 700 telephone calls and over 650 emails to its information service, both from individuals and from organisations.
Then there are the organizations simply shuttering the EU arms of their businesses, or in the case of the Los Angeles Times, the Chicago Tribune, and the New York Daily News, simply shutting down websites for European visitors in order to allow for more time to bring the sites up to the new compliance standards.
Glass half full: Organizations treating GDPR as an opportunity to earn trust
Perhaps the most positive reception of the GDPR’s effective date that I came across was an article by privacy expert Professor Daniel J. Solove entitled “Why I love the GDPR: 10 Reasons.” Solove goes on to enumerate the benefits of the GDPR’s sweeping impacts, but what I think it boils down to is that privacy is an important right, and the GDPR forces companies to take notice of key privacy issues, to button up their practices, and to effect real change in how their organizations are managing and protecting the data they are entrusted with. Doing well in privacy means earning trust from the public, and the GDPR is a powerful forcing mechanism to get more companies on the right track.
Echoing this sentiment, a recent study based on an IBM's Institute for Business Value survey of 1,500 business leaders and released prior to the regulation found that:
- Nearly 60% of respondents view GDPR as an opportunity to improve privacy, security, and data management, or as a means to create new business models and revenue streams.
- 76% of respondents said GDPR should improve trust and the relationship between businesses and consumers
- 84% believe that GDPR compliance will put their firms in good stead as a differentiator to the public.
In contrast to IBM’s view of GDPR, Microsoft has chosen to adopt this view, which announced that it would apply the GDPR globally, extending “the rights that are at the heart of GDPR to all of our consumer customers worldwide.” Similarly, Apple CEO Tim Cook echoed GDPR language in a recent CNN interview, calling privacy a “fundamental human right” and emphasizing that “privacy from an American point of view is one of these key civil liberties that define what it is to be American.”
Privacy issues are now in the public eye more than ever. There are articles and op-eds about GDPR in mainstream publications like the New York Times. Trevor Hughes, President and CEO of IAPP, says he has people asking about the GDPR when he’s at the gym. This momentum and attention could be used for good in our industry, a way to call for greater budgets and more influence over how we protect consumer data.
Keep an Eye On GDPR, But Don’t Overlook Changing Privacy Regulations at the State - and Even City - Level.
Whether you’re a pessimist or an optimist, the reality is we just don’t have enough information yet to form an opinion on the success of this new regulation and its adoption by US companies. As privacy professionals, we are well aware of the risks of both over and under reporting. Either action poses the risk of fines, loss of public trust, and reputational damage to the company. Compliance with regulations can be a bit of a tight rope routine–one that privacy professionals are well practiced to perform. In the meantime, the US Chamber of Commerce has produced a handy list of eight areas to watch when gauging the success or failure of this regulation.
Here’s a word of warning for US organizations: with one eye overseas, it’s important we don’t lose track of what is happening in our own backyards. While the exact details of GDPR compliance are still being sorted out, regulatory complexity continues to plague privacy professionals in the states, with ever-changing state laws. A list of recently passed privacy laws shows that so far in 2018, we’ve already seen nine states enact new breach notification laws that will go into effect in the coming months. And with the city of Chicago’s recently introduced Personal Data Collection and Protection Ordinance, it seems that cities may be adding to the complexity of data breach notification. The overarching trend in these changing data breach legislation is increasing stringency and growing complexity in breach risk assessment and notification obligations. At any given time, there exist a number of active bills, both proposed and recently passed, that could change what compliance looks like under state and federal data breach notification laws. Staying on top of these regulations is another critical part of a successful privacy program.
As fun as it was to celebrate the May 25 GDPR milestone, a privacy professional’s work is never over.