close
close

What US companies can learn from Europe’s GDPR mistakes

After nearly a decade of “will they or won’t they,” the United States is on the cusp of its own sweeping data privacy law. The recently proposed US Privacy Rights Act (APRA) aims to establish robust regulations approximately eight years after the implementation of the European General Data Protection Regulation (GDPR).

However, The road to compliance will not be smooth. A look back at Europe’s experience with the GDPR suggests that significant growing pains lie ahead for businesses. Even before the regulations came into effect, a third of EU companies were concerned that their technology could not manage the data effectively. These fears proved well-founded as organizations grappled with GDPR’s expansive scope, complex risk assessments and stringent record-keeping requirements. On average, companies spent a staggering amount of money 1.3 million euros just to prepare for the new rules.

As the US braces for data privacy reform, companies must consider the trials and tribulations of Europe. Staying ahead of APRA by updating data practices, training staff and ensuring compliance from the start will be critical to avoiding the same costly missteps.

The long road to data privacy

There is a sense of inevitability regarding data privacy in the US. Slowly but surely, from California’s Consumer Privacy Act to Virginia’s Consumer Data Protection Act, states have taken the lead in the absence of national regulations. Eight more states are ready to enact comprehensive privacy laws in the next two years.

Government regulation is of course good for privacy, but it creates a patchwork of varied rules. A federal approach would pre-empt state law, level the playing field and provide much-needed predictability for businesses. That’s important polling data shows broad public support for stricter data privacy across the political spectrum.

The two-part proposal ensures familiar reading. Like the GDPR, APRA places the responsibility on companies to adhere to stricter data security standards or face penalties, giving consumers the ability to opt out of targeted advertising and minimize the personal data held about them .

In theory, APRA is an overdue protection for consumers and their information. In practice, following the letter of the law is easier said than done, as evidenced by the European GDPR.

Europe is a glimpse into the future

The GDPR raised big questions about how companies handle consumer data. European companies needed big and fast answers, especially with possible fines of 20 million euros or 4% of annual turnover. The rush to comply resulted in errors and inefficiencies that persist to this day.

Firstly, there is the enormous scope of the regulation. European companies have struggled to overhaul their data management infrastructure, from tracking lifecycles to adhering to specific storage protocols. Companies without clear policies or internal champions struggled to update existing systems and processes.

Training, or the lack thereof, has further hampered compliance efforts. Management did not always communicate the new data requirements or instruct employees on their changing roles and responsibilities. This resulted in human error, such as not securing personal data or sharing data with unauthorized parties.

Third, some made the mistake of not asking for help. Smaller companies were unable to maintain the risk assessments and record keeping required by the regulation. Here too, companies can go bankrupt without good data mapping and a concrete understanding of responsibilities.

Even today, these issues put full compliance out of reach for the majority of European companies. A report published in January surveyed more than 1,000 privacy professionals, of whom only 7% believe that “most” data controllers are fully compliant with any chapter of the GDPR. In addition, relevant violations still occur in three-quarters of the average company.

The lesson for American companies on the eve of our own data privacy regulations? Prepare now.

Be ahead of the regulations

Even if APRA faces hurdles this election year, which is likely, there is momentum behind its oversight of federal data. Each passing state adds weight to the argument, and a tipping point is near.

American companies should take advantage of this important window. Get started early by creating or reviewing your data protection plan. Consider hiring a data protection officer, someone who will keep an eye on your ecosystem and understand where your consumer data lives. Importantly, this person can work closely with the management team and ensure that all stakeholders understand the importance of protecting consumer data (and the liability if this is not done).

Then take your employees on the road. Customize training for employees based on their specific interactions with consumer data. This is not a one-off, but an ongoing activity that ensures the entire team understands the best practices, what’s at stake and how to comply.

Finally, implement intelligent tools and platforms that automate critical data responsibilities. Compliance solutions can be invaluable by continuously monitoring and gathering evidence of a company’s security controls. Additionally, unified endpoint management can facilitate data encryption and containerization while enforcing strong passwords and software updates. These platforms can also automate data tracking and error logging. Additionally, implementing zero-trust security models, where no device is inherently trusted, can significantly strengthen your organization’s security posture and better protect consumer data.

Advancing data privacy isn’t just a feel-good exercise; it is crucial to avoid the regulatory pitfalls that European companies face. By developing data protection plans, training staff and automating now, American companies can prepare for the inevitable and maintain the public’s trust.