GDPR, One Year Later, 'Not the Boogeyman'
Experts in various disciplines give their take on what GDPR has and hasn’t changed for businesses and consumers — so far.
May 1, 2019
![GDPR GDPR](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt89091b046d694a1c/65260534d81fb2314cb7c3eb/GDPR.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
The European Union (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018, to much fanfare and often with a considerable amount of dread. Now it’s a year later and time to evaluate what GDPR actually brought about, versus what was feared, and where it is steering companies next.
Beckage’s Daniel Greene
“The GDPR is not the boogeyman, it is a series of questions that U.S. companies need to make sure they can answer in order to do business with EU citizens’ data — it just so happens that the questions are complicated, require a well-trained eye to tackle and can change the practices and culture of U.S. companies,” said Daniel P. Greene, Esq., Certified Information Privacy Professional, Europe (CIPP/E), at Beckage law firm.
Several experts weigh in on GDPR’s effects on the U.S. in terms of businesses, consumers, law and geopolitics.
GDPR begat more privacy laws
WatchGuard Technologies’ Marc Laliberte
“Since the GDPR took effect, we have seen privacy gain significant momentum both globally and within the US,” said Marc Laliberte, senior security analyst at network security company WatchGuard Technologies.
Laliberte, like many other professionals involved with GDPR compliance, points to examples of new GDPR- spurred or inspired privacy laws such as the California Consumer Privacy Act (CCPA), the introduction of the Washington State Privacy Act and Congressional action on a federal privacy bill.
Little enforcement– so far
GDPR is still young and both companies and regulators are still busy figuring out how it works.
DH2i’s Don Boxley
“As we come upon the Global Data Protection Regulation’s (GDPR) first birthday, I would compare it to a toddler and describe GDPR’s first year as a transition year, and European regulators as still a bit like indulgent parents,” said Don Boxley, CEO and co-founder of DH2i.
Several companies that rushed to comply with GDPR mandates in late 2017 and early 2018 report that enforcement appears practically nonexistent.
DataBank’s Mark Houpt
“For now, it has not changed one thing we do. Since June of 2018, I have not had one compliance questionnaire or entity come to me to validate my GDPR compliance. This may change as GDPR matures and court cases determine jurisdiction and even practical implementation,” says Mark Houpt, CISO for DataBank.
A DLA Piper survey pegs the number of data breaches reported at over 59,000, which is a significant increase under GDPR, but the survey also found that only 91 resulted in fines. DLA Piper is a global law firm.
Many businesses are still holding their breath, however, in anticipation of the inevitable increase in enforcement and impact.
“After one year, the GDPR is still honing its enforcement action process — as the authorities move on from the Googles and Facebooks, they’ll take on the next batch of companies with more efficiency, working their…
…way down the ladder to small-to-medium sized businesses,” says Greene.
Activity in the name of GDPR compliance is thus expected to increase rather than decrease in the second year.
RapidFire Tools’ Michael Mittel
“With recent fines and penalties in 2019 and people reading more about it in the press, there’ll be more activity happening, both on the prosecution side and the response side from companies that are affected by GDPR,” said Michael Mittel, founder and CEO of RapidFire Tools, a Kaseya company.
“We saw that happen with HIPAA in the United States. The final regulation was written into law in 2013 and it took a while for folks to realize the impact and importance. When they did, it snowballed. The same thing will happen here with GDPR,” Mittel added.
Penalties are also expected to rise under new privacy regulations spawned by GDPR.
Blancco’s Fredrik Forslund
“The fines for non-compliance of the CCPA, which could be up to $7,500 per violation, may prove to be even more devastating [than GDPR] for companies doing business with California consumers,” warns Fredrik Forslund, vice president of enterprise and cloud erasure solutions at Blancco.
Mixed consumer and business reactions
Consumers and some businesses welcome the increased focus on privacy.
“For now, it’s unlikely the GDPR will change how U.S. customers interact with U.S. businesses — perhaps more rights and protections will be afforded to Americans where a company does not want to manage varying levels of privacy protection, so all are granted GDPR-level rights. Rising privacy-protection tides raise all ships,” says Greene.
“Instead, early indicators are U.S. citizens and businesses will be more directly impacted by states, such as California, that enact GDPR-like legislation in the near future,” Greene added.
Other businesses are worried about its impact on the value of their data and on their current business models.
“GDPR, if anything, has shown Americans companies what they do not want as it hinders their marketing and sales efforts as well as overall their business. American business is used to owning whatever data it collects — and they spend billions of dollars each year collecting that,” says Houpt.
“U.S. businesses know that they have to agree to something, but a 180-degree turn where each individual owns their own data means that persons will start charging companies for the storage and use of their personal data. If U.S. privacy laws turn the tables on the ownership of data, for example data on a person’s purchasing habits, you will see a huge shift in how U.S. businesses conduct marketing and sales efforts,” Houpt added.
Balance is key to protecting individuals and stabilizing businesses dependent on their data.
“There is a careful balance to be struct between protecting the privacy of individuals and making it impossible to…
Cleo’s Dave Brunswick