Experts in various disciplines give their take on what GDPR has and hasn’t changed for businesses and consumers — so far.

Pam Baker

May 1, 2019

7 Min Read
GDPR
Shutterstock

The European Union (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018, to much fanfare and often with a considerable amount of dread. Now it’s a year later and time to evaluate what GDPR actually brought about, versus what was feared, and where it is steering companies next.

Greene-Daniel-P._Beckage.jpg

Beckage’s Daniel Greene

“The GDPR is not the boogeyman, it is a series of questions that U.S. companies need to make sure they can answer in order to do business with EU citizens’ data — it just so happens that the questions are complicated, require a well-trained eye to tackle and can change the practices and culture of U.S. companies,” said Daniel P. Greene, Esq., Certified Information Privacy Professional, Europe (CIPP/E), at Beckage law firm.

Several experts weigh in on GDPR’s effects on the U.S. in terms of businesses, consumers, law and geopolitics.

GDPR begat more privacy laws

Laliberte-Marc_WatchGuard-Technologies.jpg

WatchGuard Technologies’ Marc Laliberte

“Since the GDPR took effect, we have seen privacy gain significant momentum both globally and within the US,” said Marc Laliberte, senior security analyst at network security company WatchGuard Technologies.

Laliberte, like many other professionals involved with GDPR compliance, points  to examples of new GDPR- spurred or inspired privacy laws such as the California Consumer Privacy Act (CCPA), the introduction of the Washington State Privacy Act and Congressional action on a federal privacy bill.

Little enforcement– so far

GDPR is still young and both companies and regulators are still busy figuring out how it works.

don-boxley-dh2i-2018.jpg

DH2i’s Don Boxley

“As we come upon the Global Data Protection Regulation’s (GDPR) first birthday, I would compare it to a toddler and describe GDPR’s first year as a transition year, and European regulators as still a bit like indulgent parents,”  said Don Boxley, CEO and co-founder of DH2i.

Several companies that rushed to comply with GDPR mandates in late 2017 and early 2018 report that enforcement appears practically nonexistent.

Houpt-Mark_DataBank.jpg

DataBank’s Mark Houpt

“For now, it has not changed one thing we do. Since June of 2018, I have not had one compliance questionnaire or entity come to me to validate my GDPR compliance. This may change as GDPR matures and court cases determine jurisdiction and even practical implementation,” says Mark Houpt, CISO for DataBank.

A DLA Piper survey pegs the number of data breaches reported at over 59,000, which is a significant increase under GDPR, but the survey also found that only 91 resulted in fines. DLA Piper is a global law firm.

Many businesses are still holding their breath, however, in anticipation of the inevitable increase in enforcement and impact.

“After one year, the GDPR is still honing its enforcement action process — as the authorities move on from the Googles and Facebooks, they’ll take on the next batch of companies with more efficiency, working their…

…way down the ladder to small-to-medium sized businesses,” says Greene.

Activity in the name of GDPR compliance is thus expected to increase rather than decrease in the second year.

michael-mittel-rapidfire-tools-2018.jpg

RapidFire Tools’ Michael Mittel

“With recent fines and penalties in 2019 and people reading more about it in the press, there’ll be more activity happening, both on the prosecution side and the response side from companies that are affected by GDPR,” said  Michael Mittel, founder and CEO of RapidFire Tools, a Kaseya company.

“We saw that happen with HIPAA in the United States. The final regulation was written into law in 2013 and it took a while for folks to realize the impact and importance. When they did, it snowballed. The same thing will happen here with GDPR,” Mittel added.

Penalties are also expected to rise under new privacy regulations spawned by GDPR.

Forslund-Fredrik_Blancco.jpeg

Blancco’s Fredrik Forslund

“The fines for non-compliance of the CCPA, which could be up to $7,500 per violation, may prove to be even more devastating [than GDPR] for companies doing business with California consumers,” warns Fredrik Forslund,  vice president of enterprise and cloud erasure solutions at Blancco.

Mixed consumer and business reactions

 Consumers and some businesses welcome the increased focus on privacy.

For now, it’s unlikely the GDPR will change how U.S. customers interact with U.S. businesses — perhaps more rights and protections will be afforded to Americans where a company does not want to manage varying levels of privacy protection, so all are granted GDPR-level rights.  Rising privacy-protection tides raise all ships,” says Greene.

“Instead, early indicators are U.S. citizens and businesses will be more directly impacted by states, such as California, that enact GDPR-like legislation in the near future,” Greene added.

Other businesses are worried about its impact on the value of their data and on their current business models.

“GDPR, if anything, has shown Americans companies what they do not want as it hinders their marketing and sales efforts as well as overall their business. American business is used to owning whatever data it collects — and they spend billions of dollars each year collecting that,” says Houpt.

“U.S. businesses know that they have to agree to something, but a 180-degree turn where each individual owns their own data means that persons will start charging companies for the storage and use of their personal data. If U.S. privacy laws turn the tables on the ownership of data, for example data on a person’s purchasing habits, you will see a huge shift in how U.S. businesses conduct marketing and sales efforts,” Houpt added.

Balance is key to protecting individuals and stabilizing businesses dependent on their data.

“There is a careful balance to be struct between protecting the privacy of individuals and making it impossible to…

Brunswick-Dave_Cleo.jpg

Cleo’s Dave Brunswick

…do business,” said Dave Brunswick, vice president of solutions, North America at Cleo. “Unless there is consistency between states, it will become increasingly difficult for companies to comply with all the different policies out there.”

“If regulation is too restrictive and variable across state boundaries, it could create a significant barrier to expanding businesses,” Brunswick added. “On the flip side, if the regulation is too loose and doesn’t have real teeth when organizations don’t comply, then there is little point in having it since it will not materially affect behavior.”

The executive summary is that when it comes to GDPR, we’ve yet to see a glimmer of its full impact. True privacy and ultimate compliance with this and other privacy regulations is going to require more effort and more investments than anyone likely foresaw. That represents opportunity for providers who can help with any of myriad steps along the way.

Miller-Robert_Private-Client-Resources.jpg

Private Client Resources’ Robert Miller

“Full implementation of a GDPR-like protocol will require a complete retooling of information-management platforms across financial services. New technologies are needed to support a globally safe data-sharing ecosystem, not solely a reliance on agreements to implement best practices or large cyber insurance policies,” says Robert Miller, CEO of Private Client Resources (PCR), a provider of UHNW data aggregation and client reporting “focused on the unique demands of wealthy families and their advisers.” PCR has an intense focus on data privacy and security for its clientele.

Miller also sees a need for privacy issues to be built-in rather than tacked onto anything concerning the collections, storage and use of data.

“‘Privacy by Design’ has become a recent buzz word for organizations and regulations. ‘Privacy by Design’ in short, requires that data subject rights are considered when designing technology solutions and business processes. Specifically, that how our data is acquired, stored, shared and traced is incorporated into these solutions from the ground up,” Miller added.

Before all is said and done, GDPR will fuel massive change in everything. But it will take years, maybe decades before we see the end results.

Read more about:

MSPs

About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like