What American Enterprises Can Learn From Europe's GDPR Mistakes

COMMENTARY

After almost a decade of "will they or won't they," the United States is on the cusp of its own sweeping data privacy law. The recently proposed American Privacy Rights Act (APRA) aims to establish robust regulations about eight years after the implementation of Europe's General Data Protection Regulation (GDPR).

However, the road to compliance won't be smooth. A look back at Europe's experience with the GDPR suggests significant business growing pains on the horizon. Even before the regulation kicked in, one-third of EU companies were concerned their technology couldn't effectively manage data. Those fears proved well-founded as organizations grappled with the GDPR's expansive scope, complex risk assessments, and stringent recordkeeping requirements. On average, firms spent a staggering 1.3 million euros just to prepare for the new rules.

As the US braces for its data privacy overhaul, enterprises should take heed of Europe's trials and tribulations. Staying ahead of APRA by updating data practices, training staff, and ensuring compliance from the outset will be critical to avoiding the same costly missteps.

The Long Road to Data Privacy

There's a sense of inevitability regarding data privacy in the US. Slowly but surely, from California's Consumer Privacy Act to Virginia's Consumer Data Protection Act, states have taken the lead in the absence of national regulation. Eight more states are ready to enact comprehensive privacy laws in the next two years.

State regulation is good for privacy, of course, but it creates a patchwork of varied rules. A federal approach would preempt the state legislation, level the playing field, and offer much-needed predictability for companies. Importantly, polling data shows broad public support for stricter data privacy across the political spectrum.

The bipartisan proposal makes for familiar reading. Much like GDPR, APRA puts the onus on companies to abide by stronger data security standards or face sanctions, giving consumers the power to opt out of targeted advertising and minimize the personal data held on them. 

In theory, APRA is an overdue safeguard for consumers and their information. In practice, as shown by Europe's GDPR, following the letter of the law is easier said than done.

Europe Is a Peek at the Future

The GDPR asked big questions about how companies handle consumer data. European companies needed big answers and fast, especially with potential fines of 20 million euros or 4% of annual turnover. The rush to compliance resulted in errors and inefficiencies that still ripple to this day.

First, there's the sheer scope of the regulation. European businesses grappled with overhauling their data management infrastructure from tracking life cycles to adhering to specific storage protocols. Companies without a clear policy or internal champion struggled to revamp existing systems and processes.

Training, or lack thereof, further hamstrung compliance efforts. Management didn't always communicate the new data demands nor instruct employees on their evolving roles and responsibilities. This resulted in human error, like failure to safeguard personal data or sharing data with unauthorized parties.

Third, some made the mistake of not asking for help. Smaller businesses couldn't keep up with the risk assessments or record-keeping required by the regulation. Again, without proper data mapping and a concrete understanding of responsibilities, companies set themselves up for failure.

Even today, these issues put full compliance out of reach for the majority of European companies.  A report published in January surveyed more than 1,000 privacy professionals, only 7% of whom believe that "most" controllers completely comply with any chapter of the GDPR. Additionally, three-quarters share there are still relevant violations at an average company. 

The lesson for American companies on the eve of our own data privacy regulation? Prepare now.

Get Ahead of the Regulation

Even if APRA faces hurdles in this election year, which is likely, there is momentum behind federal data oversight. Each passing state adds weight to the argument, and a tipping point is near.

American enterprises should take advantage of this important window. Get started early by creating or double-checking your data protection plan. Consider hiring a data protection officer, someone who monitors your ecosystem and understands where your consumer data lives. Importantly, this person can work closely with the executive team and ensure all stakeholders understand the importance of protecting consumer data (and the liability of not doing so).

Then, bring your employees along for the ride. Tailor training for employees based on their specific interaction with consumer data. This isn't a one-off but an ongoing activity that ensures the entire team understands best practices, what's at stake, and how to comply.

Finally, adopt intelligent tools and platforms that automate critical data responsibilities. Compliance solutions can be invaluable by continuously monitoring and gathering evidence of a company's security controls. Additionally, unified endpoint management can facilitate data encryption and containerization while enforcing strong passwords and software updates. These platforms can also automate recordkeeping and error-logging processes. Further, implementing zero-trust security models, where no device is inherently trusted, can significantly reinforce your organization's security posture and better protect consumer data.

Getting ahead of data privacy isn't just a feel-good exercise — it's critical for avoiding the regulation pitfalls experienced by European businesses. By developing data protection plans, training staff, and automating now, American businesses can prepare for the inevitable and maintain public trust.