Could GDPR Compliance Be a Competitive Advantage?
Baseline data privacy legislation is unlikely to gain traction in the U.S. but American and international companies are likely to view EU General Data Protection Regulation compliance as a competitive advantage, GDPR experts told us. Microsoft and Accenture publicly committed to end-to-end, global GDPR compliance. Facebook CEO Mark Zuckerberg told House lawmakers his platform will comply globally with certain aspects of the GDPR, specifically on privacy controls and consent transparency (see 1804110065). “My hypothesis is companies that do not provide [GDPR compliant services] will begin to stand out in a negative way to consumers and their users,” said World Privacy Forum Executive Director Pam Dixon. “There is a possibility that companies are going to see a domino effect where they feel a lot of pressure to comply.”
There has been discussion in recent years of pushing baseline privacy regulation in the U.S., but Dixon said the American regulatory regime, which she described as a “jigsaw puzzle of sectoral regulations,” doesn't lend itself to a broad law like the GDPR. Niskanen Center Director-Technology Policy Ryan Hagemann agreed baseline privacy legislation has never gotten real traction in the U.S., though the landscape is changing since the Facebook-Cambridge Analytica privacy breach. He also described the American approach to regulation as “sectoral,” citing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA has flaws but is a better approach than having a broad set of rules that can be “amorphously interpreted and abused in a discretionary manner,” he said. Hagemann also agreed with Dixon’s estimation that corporations will weigh GDPR compliance against reputation: “You’re likely to see a lot more voluntary compliance on the part of American firms to try to implement at least some of the less onerous provisions of GDPR if you’re in the U.S., sort of to showcase good faith efforts.”
According to a recent Ponemon Institute study, about 40 percent of American and European companies don’t expect to be in compliance with the GDPR when it takes effect May 25 (see 1804200050). Canada-based tyGraph President Ed Senez, who works mainly with Fortune 500 companies on internal data policies, said the GDPR run-up is similar to the “flurry of activity” in December 1999 before the feared millennium Y2K computer bug scare. U.K.-based extaCloud CEO Seb Matthews described a “general confusion” from companies trying to understand the 60,000-word GDPR.
On compliance, consensus is that medium- and small-sized companies are further behind than large multinationals because they don’t have the same resources. There’s also an assumption EU regulators will go after companies with large footprints before they impose fines on smaller companies. Under the GDPR, companies face noncompliance fines up to $20 million per infraction, or 4 percent of global revenue, whichever is more. “We feel like regulators are going to start with the big guys … go after the Apples or the Googles of the world,” said CompliancePoint Senior Vice President Greg Sparrow. Allied for Startups CEO Melissa Blaustein, whose company is headquartered in Brussels, said she expects many U.S. companies to be surprised when the GDPR takes effect: “I think companies are taking steps to get ready, but they’re starting a little too late.”
IAB Europe CEO Townsend Feehan, based in Brussels, said the implications of the GDPR feel more immediate in the EU. It’s a bigger shock for American companies that have been operating under safe harbor protections shielding them from data mandates, she said. IAB Europe and IAB Tech Lab released a Transparency & Consent Framework (see 1804250070), which IAB hopes will be an open-source, cross-industry, consensus standard for collecting and communicating information about consumer agreements for data processing under the GDPR.
Ponemon Institute founder Larry Ponemon said many U.S. companies recognize they will have difficulty complying, but they’re hoping for “benevolent” regulators: “Companies are going to assume they’re in compliance, but they’re really not, so I think there will be a little bit of forgiveness.” Dixon expects the GDPR grace period could last years for smaller companies, unless there are flagrant infractions, while multinationals will be heavily scrutinized early on.
Sparrow discussed the prospect of the U.S. seeing states take action in the absence of baseline privacy legislation. California and Massachusetts are drafting data privacy laws, and Sparrow said a patchwork of state regulations creates confusion for businesses. Dorsey & Whitney compliance attorney Robert Cattanach anticipates more states following their example, which is what happened with data breach laws in the absence of a federal baseline.