June 14, 2019

One Year Post-GDPR: What’s Changed in Data Privacy and Compliance?

One Year Passes Post-GDPR 

The EU’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Announced in 2016, the EU gave organizations two years to shore up privacy processes in preparation of the deadline, upon which some of the most robust personal privacy protection laws created would be put into effect. 

What ensued was a mad rush to achieve compliance, often without due diligence or professional consult. Today, compliance professionals across industries are reflecting on what’s changed since GDPR went into effect. 

Four Ways GDPR Has Changed How Companies DBusiness in the U.S.  

There are four primary ways GPPR has changed, or not changed, the way companies do business in the U.S., as well as its impact upon consumers. 

1. GDPR has spurred a renewed privacy debate, leading to a new outlook on the subject by the general populace.

The back-and-forth on privacy is nothing new in the media. After all, the U.S. has had privacy laws since the 1960s. However, GDPR, coupled with the major mishaps of social media data sharing in 2016, have significantly influenced how the American populace views and thinks about what businesses are doing to protect consumers.  

GDPR has given way to a new mindset, whereby consumers and end users have a strong sense of ownership over their personal data. People are very aware that companies use and retain their personal data in order to profit from what some would consider personal or intellectual property. 

2. New laws are being written.  

Most notably are the privacy laws in California. There are now increasing efforts to enact a person-centric, U.S. national privacy lawmuch like GDPR, although this is stumbling in the halls of Congress and meeting great opposition by business lobbyists in Washington. 

3. Companies rushed to comply with GDPR. Enterprises across industries have put forth more budget, as well as new processes and procedures, to ensure compliance.  

Have you noticed the uptick in websites requesting permission, or informing visitors of their use of cookies in popup ads? This is a prime example of the changes being made within businesses to ensure compliance with GDPR. Many of the companies impacted by GDPR were in a mad rush to comply, but without a complete understanding as to which elements of business required compliance, or why—and many still don’t. Decision makers commonly read media reports and lean on compliance professionals who say GDPR is the law, but it seems that few in the U.S. stopped to determine whether they’re under the jurisdiction of the EU.  

4. An area unchanged: some companies have done their research, effectively determining they’re not required to comply. 

For the companies who did take the time to conduct adequate research and consult legal counsel, ultimately determining that compliance isn’t required, not much has changed. At present, the question of whether EU law has jurisdiction inside the U.S. for a solely U.S.-based company is still in deliberation, and will be for years until a U.S. court determines the answer officially. 

Bringing it Back to Basics: Privacy Laws Aren’t New 

For now, GDPR has not changed one thing we do. Companies rushed to comply as a result of media attention in late 2017 and early 2018. Since June of 2018, I have not had one compliance questionnaire or entity come to me to validate my GDPR compliance. This may change as GDPR matures and court cases determine jurisdiction and even practical implementation. 

-Mark Houpt, CISO 

GDPR as a catalyst for privacy laws and compliance changes is often confounded with the social media data sharing revelations that took place in 2017. While it’s true that GDPR serves as a model for California law, and may for U.S. national privacy law as well, it didn’t initiate the real push. If anything, GDPR has demonstrated the consequences to American enterprises of failing to lead on the issue of privacy. We’ve all witnessed the damage data mishandling, leaks, and breaches inflicts upon marketing and sales efforts, as well as business overall. American businesses are used to owning the data they spend billions of dollars annually to collect. GDPR, and similar laws, have turned the tables.