Can American Technology Firms and Lawmakers Learn from Europe’s GDPR?

There really is more than just an ocean sitting between Europe and the United States. Our ideological differences are also pretty massive. Take the issue of digital privacy as the latest example.

Within the European Union, there is a colossal government undertaking aimed at protecting people’s digital records, even when they are being held by private companies. Called the General Data Protection Regulation, or GDPR, the new law holds accountable any company or organization doing business within Europe or with European citizens. Specifically, it requires that companies protect any personal data they collect. Failure to comply could mean a huge fine, up to a percentage of a firm’s yearly profits, if a breach does occur.

Back at home, we have similar laws, but only within very specific industries, with the most widely known being the Health Insurance Portability and Accountability Act, or HIPAA. But that only applies to health care industries, and specifically to medical records. There is nothing to protect Americans from data theft outside of health care. And that data is highly sought-after these days because of its value in perpetuating secondary crimes like identity theft.  

Look at any number of breaches that have been occurring over the past few years, or even a specific attack like the one at Equifax which might have compromised the records of over half the population of our nation. Other than joining a class action suit, even the most egregiously bad examples of cybersecurity are almost never punished. As such, companies would rather keep doing business as usual and risk (our) records, instead of spending money on proper data handling technologies.

I realize that there is very little chance that the current Congress is going to pass a law to protect our data, and thus ourselves, if it means that businesses might be harmed in the process. But GDPR is a very well-crafted law, one that simply mandates good data handling best practices, and only punishes companies that willingly disregard those guidelines and get breached as a result.

A bit like HIPAA, the new GDPR makes some great data handling suggestions without tying it to a specific technology, even though certain kinds of tech, like encryption, will likely factor into most protection plans.

To comply with GDPR, companies need to set up data limits both in terms of how much they collect, and how long that information is held. Generally, companies are told to only collect information that is needed to process a transaction, and nothing more. Did you ever wonder why your cable television provider collects your Social Security number? That would be a perfect example of an extra piece of information that isn’t needed to send HBO and Cinemax to your home, and would likely be considered a non-compliant collection under a GDPR-like set of rules. Why store Social Security numbers, and risk having them fall into the wrong hands when they are not needed to watch television?

Another factor in GDPR guidelines is the longevity of data. In other words, companies are required to purge personal information on customers when it is no longer needed. By contrast, if you ever shared your social security number with your cable company, it’s probably still sitting in their database, even if you stopped being their customer decades ago. If they ever get breached, you are still going to be a part of that.

Personal responsibility is another theme of GDPR, with companies required to designate specific individuals with the power to protect information, and with the responsibility if something bad happens. This would prevent a situation like the Equifax breach where several company executives were made aware of a flaw in the Apache server software months before the breach that compromised 147 million records, but company officials didn’t act because they figured it was someone else’s responsibility to load the patch.

Last but not least, GDPR requires companies to notify people if their information has been compromised within 72 hours of learning about the breach. This includes providing copies of all potentially compromised information, including all the data the company was holding about them. For the person whose records have been stolen, this would give them some peace of mind, at least knowing what the attackers now know. For the company, however, the administration of such a task would be monumental, especially if they didn’t follow good data-gathering processes—such as only collecting the minimum information needed for a transaction and purging it after a certain time has elapsed.

So you see, GDPR is elegant in its execution. It encourages companies to be good stewards of personal information and makes it increasingly difficult not to comply with each aspect of that, to say nothing of the direct fines involved.

However, companies are not vilified for collecting personal information either. If an organization does everything right in terms of data collection and retention, takes steps to protect that information, even notifying people immediately in the event of a breach, they may not face any fine at all. Many attackers are good and can get around even the best defenses. In that case, the company or organization should not be blamed. They are, in a sense, also a victim.

Lawmakers in the U.S. might decry GDPR as a foreign government’s overreach, but GDPR is one of the most cleanly crafted laws to come about in years. Something like it is vitally needed for the United States, especially with our abundance and reliance on technology. Under GDPR, companies that do everything right and still get breached aren’t even punished. It’s just that without something like commonsense guidelines—and the threat of punishment for noncompliance—some companies will continue to ignore good cybersecurity and risk our valuable personal information.

In extreme cases, companies that collect our personal information, with or without our permission, are practically complicit in the loss of it to hackers. That is something that needs to stop, and only our government has the power to implement GDPR-like protection across the board. It’s an idea whose time has come.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys