Can One Year of GDPR Teach the U.S. Anything on Privacy?

Ivan Marc/Shutterstock.com

Technology experts reflect on how GDPR changed companies' approaches to data.

Last June when the General Data Protection Regulation was going into effect in Europe, I wondered if lawmakers and tech companies in the United States might be able to learn anything from that kind of privacy regulation. At the time, there wasn’t much of an impetus on the part of lawmakers to do anything similar in this country, despite a growing consumer demand for more personal data protection. Now that GDPR has been in effect for almost a full year, and by all accounts is doing very well, could that trigger more acceptance on this side of the ocean for something similar?

One of the reasons that leaders here have been reluctant to support new privacy laws is that most of what has been proposed so far simply vilifies companies that get breached. But GDPR is more elegant than that. Basically, if a company does everything it can to protect the data it has collected, and then gets breached anyway, they may not be blamed or fined, especially if they follow the guidelines and alert affected customers within 72 hours. Yes, the fines with GDPR can be huge but those are mostly reserved for firms that blatantly break the rules and more or less contribute to their own data theft.

GDPR is also well-crafted because it does not advocate a specific technology or protection scheme. It merely lays out a series of best practices and then fines companies that don’t improve their defenses and get breached as a result. One of the key elements is actually encouraging companies not to collect and store unneeded information in the first place. GDPR encourages firms to only collect the information they explicitly need to perform whatever product or service they are providing, and to delete and destroy that data when they are finished with it, or when a customer asks for their data to be removed and forgotten.

Under those guidelines, for example, your cable or phone company probably would decide that it no longer needed to collect your Social Security number. For one, they don’t need it to provide their service. And for another, they would be responsible for that bit of data if it ever got stolen. And finally, everyone would probably exercise their legal right to ask the company to destroy it. Those looming fines would ensure compliance, but only if a company stubbornly went ahead collecting data it didn’t need, not protecting it, and eventually having it stolen.

What effect a successful GDPR will have in the United States and places beyond Europe is an open question. Personally, I’m not really sure if anything like that could happen at the federal level, though various states are already experimenting with protecting privacy. One only needs to look at what California is doing with its California Consumer Privacy Act that is set to become law in 2020 as an example. The CCPA will be a big deal too, since it happens to be strategically placed in a location where many tech companies reside.

Technology experts are commenting on what a full year of GDPR might mean for this country, and many more will likely weigh in as the official first year of GDPR approaches. I’ve collected a few thoughts from experts that I believe have a good handle on the situation or an interesting perspective on the state of privacy laws in this new post-GDPR era.

Some experts looked at GDPR success in terms of encouraging statewide programs like the CCPA. These may, eventually, force the federal government to act as well.

“The biggest impact of GDPR has been not in European capitals, but in Washington, Palo Alto, Sydney and beyond. Privacy is now a popular topic with both politicians and technology CEOs, this is a credit to the rise of GDPR,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “GDPR is creating debate and political action well beyond European Union states. This trend shows no sign of changing for the next few years.”

“GDPR put privacy controls in the hands of the consumer, rather than in the hands of a business or government.  As a result, GDPR has become the blueprint for many other privacy laws coming out in the U.S., which took those principles and built laws around protecting consumer privacy in their state,” said Jonathan Deveaux, head of enterprise data protection at comforte AG, “The California Consumer Privacy Act is a prime example. There is even talk now of the possibility of a Federal Data Privacy Law in the works.”

“The GDPR has certainly spurred more conversation in the United States around data privacy and protection. The NIST Privacy Framework has grown a massive following and is highly anticipated, in part I would argue because of the GDPR movement," noted George Wrenn, CEO of CyberSaint Security. “California has instituted privacy laws, and many other states are planning on following suit. Data privacy and protection has become a federal and state issue in the U.S. and only continues to grow momentum.”

Others say that regardless of the impact of the year-old regulation on governments, that the effect on companies is tangible. Nobody really thought too much about privacy before, but now it’s becoming a primary concern.

“In the last 12 months, almost every enterprise customer we visited was motivated by a GDPR compliance discussion. While it seems that big enterprises have put some GDPR compliance practices in place and are protecting part of their data, midsize companies are now asking similar questions,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst, “Also, the big companies who have initially deployed some security solutions for GDPR compliance are asking questions about continuous data protection and security that follows the protected data.”

“The biggest difference since the introduction of GDPR is that data is now part of every conversation. Understanding what data is being captured, stored and processed is often a business priority and one that is shared through the business,” said Laurence Pitt, security strategy director at Juniper Networks, “The GDPR has made the world sit up and listen, as other countries have started to implement their own versions: Brazil, Singapore, Australia, Philippines, even the U.S. While the GDPR is still the only regulation to be implemented with a global reach, that will very likely change in the coming years.”

So it seems like companies are starting to put a greater value on privacy and data protection, while in government, smaller, incremental laws are starting to try and enforce that mindset. While there may not be a grand, sweeping law that suddenly protects everyone’s privacy in America, I think that Ryan Tully, VP of product strategy for STEALTHbits Technologies summed it up best when he predicted that “while data breaches still remain a common topic in the news, the impacts of the GDPR and subsequent domestic regulations that come as a result of those should truly give people transparency and control over their personal information—one regulation at a time.”

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.