GDPR, One Year Later, ‘Not the Boogeyman’

The European Union (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018, to much fanfare and often with a considerable amount of dread. Now it’s a year later and time to evaluate what GDPR actually brought about, versus what was feared, and where it is steering companies next.

Beckage’s Daniel Greene

“The GDPR is not the boogeyman, it is a series of questions that U.S. companies need to make sure they can answer in order to do business with EU citizens’ data — it just so happens that the questions are complicated, require a well-trained eye to tackle and can change the practices and culture of U.S. companies,” said Daniel P. Greene, Esq., Certified Information Privacy Professional, Europe (CIPP/E), at Beckage law firm.

Several experts weigh in on GDPR’s effects on the U.S. in terms of businesses, consumers, law and geopolitics.

GDPR begat more privacy laws

WatchGuard Technologies’ Marc Laliberte

“Since the GDPR took effect, we have seen privacy gain significant momentum both globally and within the US,” said Marc Laliberte, senior security analyst at network security company WatchGuard Technologies.

Laliberte, like many other professionals involved with GDPR compliance, points  to examples of new GDPR- spurred or inspired privacy laws such as the California Consumer Privacy Act (CCPA), the introduction of the Washington State Privacy Act and Congressional action on a federal privacy bill.

Little enforcement– so far

GDPR is still young and both companies and regulators are still busy figuring out how it works.

DH2i’s Don Boxley

“As we come upon the Global Data Protection Regulation’s (GDPR) first birthday, I would compare it to a toddler and describe GDPR’s first year as a transition year, and European regulators as still a bit like indulgent parents,”  said Don Boxley, CEO and co-founder of DH2i.

Several companies that rushed to comply with GDPR mandates in late 2017 and early 2018 report that enforcement appears practically nonexistent.

DataBank’s Mark Houpt

“For now, it has not changed one thing we do. Since June of 2018, I have not had one compliance questionnaire or entity come to me to validate my GDPR compliance. This may change as GDPR matures and court cases determine jurisdiction and even practical implementation,” says Mark Houpt, CISO for DataBank.

A DLA Piper survey pegs the number of data breaches reported at over 59,000, which is a significant increase under GDPR, but the survey also found that only 91 resulted in fines. DLA Piper is a global law firm.

Many businesses are still holding their breath, however, in anticipation of the inevitable increase in enforcement and impact.

“After one year, the GDPR is still honing its enforcement action process — as the authorities move on from the Googles and Facebooks, they’ll take on the next batch of companies with more efficiency, working their…