The General Data Protection Regulation (GDPR) that was ratified by the European Union (EU) and took effect in May 2018 is unlikely to apply to most companies based in the United States. In practice, however, the GDPR already applies to virtually every company worldwide.
The set of laws for heightened privacy of personal data governs companies that sell in the EU. While certainly there are multi-national U.S. companies who went to great length and cost to comply with GDPR, the reality is that the vast majority of small and medium U.S. businesses aren’t doing business in Europe and simply won’t be touched. Technically speaking.
It’s creating an environment where companies need to take strides toward consumer privacy protection, or be left behind.
But U.S. companies, even those that don’t do business in Europe and never will, are already touched by GDPR. Think of GDPR not as a singular law that may or may not apply to a given company, but as a part of an environment where governments, businesses, and consumers alike are taking greater steps to protect privacy.
Since the GDPR was enacted, more governments are considering and passing consumer privacy laws for businesses; more businesses are considering and adopting consumer privacy policies for themselves; and more consumers are choosing businesses who can be trusted to handle consumer data.
And it’s creating an environment where companies need to take strides toward consumer privacy protection, or be left behind. Companies who are preparing for forthcoming data privacy laws and working togain trust from consumers stand the greatest chance to gain market share as the data protection environment advances, which seems inevitable.
It’s the rising demand for consumer protections that needs your attention, if not necessarily the GDPR itself. It would be wise to comply with the spirit of GDPR – enhanced data privacy – even if you’re not technically required to.
Government and your Competitors are Working Toward Consumer Privacy
It would be wise to comply with at least the spirit of GDPR by taking strides to enhance the protection of consumer data and your standing with your customers.
Complying with GDPR can be a large interdisciplinary effort that involves all corners of an organization, and some companies have spent $10 million or more in meeting the law’s requirements.
We certainly aren’t suggesting you spend eight figures to become compliant with a law that you may never be bound by. Also, we are not advising you how to become GDPR compliant because that’s between you and you’re legal counsel
We are however making the case that it would be wise to comply with at least the spirit of GDPR by taking strides to enhance the protection of consumer data and your standing with your customers.
There remains the chance that you will at some point store the data of an EU citizen, even unknowingly, and therefore become suddenly bound by the GDPR (although overseas enforcement for a single unwitting misstep feels like a longshot).
Of greater significance is that laws, privacy, and consumer habits regarding data privacy are shifting.
GDPR Has More Governments Thinking Consumer Protection
Whether or not a company is bound by GDPR, it’s easy to see the writing on the wall: Governments are thinking about consumer privacy more than ever before, and they’re acting on it.
The wake of GDPR has included waves of new consumer privacy laws.
Around the same time that the EU was signing its GDPR into law, Japan enacted an expansive amendment to its own consumer privacy law, called the Act on the Protection of Personal Information (APPI). And later in the year Brazil approved its General Data Protection Law.
Most notably for U.S. companies, also in the same year, California passed its Consumer Privacy Act. While the law has been described as "GDPR Lite,” it will become the strictest privacy law in the U.S. when it takes effect on January 1, 2020.
Days after the one-year anniversary of GDPR taking effect, state lawmakers in New York were considering a GDPR-inspired update to the stat'es data breach notification law.
Whether or not a company is bound by GDPR, it’s easy to see the writing on the wall: Governments are thinking about consumer privacy more than ever before, and they’re acting on it.
New consumer privacy laws are sure to emerge. Companies who aren’t taking steps toward protecting consumer privacy now are likely to be caught flat-footed when new laws do emerge.
GDPR (And Breaches) Have More Competitors and Consumers Thinking Protection
Companies who aren’t paying attention to consumer privacy are falling behind competitors who are. And an ever-growing list of high-profile breeches is likely only to make the gap wider as consumers take their privacy into greater consideration.
The 11 billion records stolen in the U.S. from 2013 through today are roughly 22 times greater than the number of records stolen in any other country in that time, according to the Breach Level Index from Gemalto, a global digital security firm.
The U.S. also has a data theft-to-population ratio more than four times greater than any other country, according to Varonis, a specialist in cybersecurity and data protection.
Consumer trust is vital to business, and competitors who are prepared to retain consumer trust are lining up to take market share from companies who aren’t.