GDPR to become a more global phenomenon in 2019
As perhaps the world's most wide-reaching, comprehensive data protection rule, the General Data Protection Regulation is having a ripple effect that almost seemed inevitable.
The regulation took hold in Europe in May of 2018, and its global influence came in two forms. First, the language of the law called for any company that had European customers to follow the guidelines that, in effect, give the consumers ownership of their personal and payment details. It meant that some U.S. companies would have to comply.
Second, other countries such as Canada and Australia began to contemplate a similar wide-ranging data protection measure. Even if this doesn't materialize, the discussion has put all companies on high alert to handle — and remove — personal data more effectively.
While the British Parliament has delayed a vote on Brexit, it still has delivered compliance guidance on GDPR, informing companies that they should continue to review their data transfer processes and document data flows. After all, one of the key nuances of GDPR is that if a consumer asks a company where personal data is stored and how it has been used, the company has to answer.
In the U.S., any hopes that the country could deliver a similar regulation seems unlikely given the current political winds in Washington, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
Sensing this, California wrote its own version of GDPR, establishing rules that take effect in 2020. This legislation increases transparency and awareness among companies that develop e-commerce interfaces, software development kits or digital payment gateways.
"California's consumer privacy act ... bears a striking resemblance to GDPR," Conroy said. "And the reality is that we will probably see it get watered down a bit between now and then."
Google, for one, has been requesting changes to ease compliance for its massive data storage needs, Conroy noted. At the same time, Google quickly informed its customers that it supports GDPR and that Google Cloud would be totally compliant.
A U.S. version of GDPR is likely to continue to be state-led for the foreseeable future, Conroy said. "It will actually make compliance in the U.S. a more challenging proposition for businesses, since they'll have to comply with a patchwork regulation at the state level versus one federal bill."
That makes for a daunting task, considering the complexities the GDPR already brings to the table.
The power of GDPR rests, among other factors, on its call for storing an individual's data in separate files to make it a far more tedious process for a hacker to get into several networks to obtain a complete file.
It banks on the premise that the longer hackers are in a system trying to crack codes, the better chance of catching them. Or, better yet, they will get tired of trying and leave on their own.
And the push to help companies become GDPR compliant by May of 2018 when it became law began in earnest earlier in the year.
Mastercard and IBM formed Truata, a company designed to help companies comply with GDPR. It's a complex operation that essentially replaces data with tokens, while including concepts like "noise" and "perturbing data" that replace actual data through a statistical process that preserves the analytical value of the data, but prevents its conversion back to its original form.
Unlike the slower migration to EMV chip card liability shift compliance in the U.S. in late 2015, holding out on GDPR has costlier consequences. In addition to hefty fines, violators could lose certification or face a ban on processing personal data. That sort of damage control hurts a bottom line and a reputation among consumers.
But it's not all gloom and doom in the race to be GDPR compliant. Many companies have concluded that GDPR compliance opens the door to other benefits in marketing and business operations.
"We saw a big push for compliance among every firm that does business in Europe, given the magnitude of potential penalties under the law," Conroy said. "We've already seen countries proposing their own version of GDPR."
An audit of a company's data handling, in many cases, would eliminate redundant, obsolete or trivial files. Once an opt-in policy is implemented, and a business has the consumer's permission to use personal data, it could easily translate to more effective marketing and advertising. A person granting data-use permission should be a far more engaged consumer.
The problems Facebook faced over its data handling accelerated conversations about what GDPR should, or could, become.
That type of data sharing, especially of personal identifying information, is considered particularly dangerous for those who make a living helping companies manage technology assets.
"Advertisers and marketers used their wide-open access to harvest PII from Facebook users without the knowledge of the individual," Barbara Rembiesa, president and CEO of Information Technology Asset Management, said in a media statement. "As a result, some users of Facebook and other social media platforms are now looking for a solution to protect their data as well as their digital identity."
Because of that, the "sweeping regulation of GDPR that turned the power and authority of protecting PII back to the individual" is gaining international attention, Rembiesa said.
"The recent Facebook discovery has people looking for the adoption of something like GDPR in the U.S. faster than anticipated," she added. "It seems that people feel they are able to make decisions about their personal data better than any company or organization would."
Heading into 2019, GDPR has created a lot of jobs for data protection officers — and a lot of opportunities for those companies that take the role seriously.