For all the sound and fury surrounding consumer data privacy today, here’s what didn’t happen in 2018. European authorities did not levy astronomically high fines on any major multinational technology companies, as the cybersecurity community had feared under the European Union’s General Data Protection Regulation (EU GDPR). Companies did not slow their collection of personal data. Mega-breaches and around-the-clock data hacks did not drop off.
More generally, a growing awareness of the consequences of data theft and consumer manipulation drove support for data privacy up the policy agenda, among groups ranging from the average consumer to the board of directors.
“From a regulatory standpoint, 2018 was the year the world woke up and got serious about the need to keep personal data private,” said Sean Duca, Palo Alto Network’s Vice President and Regional Chief Security Officer for Asia Pacific and Japan. “If you collect it, you’ve got to protect it.”
Meanwhile, about those big fines … 2019 is now expected to be the year of GDPR enforcement, bringing out the “big stick” of fines up to 4 percent of annual global revenue, which could run in the billions for companies that don’t comply.
GDPR Catalyzes a Wave of Data Privacy Regulation
One look at the California Consumer Privacy Act (CCPA) tells a story that is being repeated across the world. Passed in mid-2018, the CCPA imports – often verbatim – many of the concepts that GDPR minted when it was passed in 2016. Brazil’s new General Data Protection Law (LGPD, in Portuguese) also mirrors GDPR. The 10-nation Association of Southeast Asian Nations (ASEAN), looking to solidify one of the largest world economies by 2030, is integrating its own version into the Master Plan on ASEAN Connectivity 2025.
In the simplest terms, GDPR requires companies to be transparent with individuals when using their personal information store the data safely and report any security breaches without undue delay or within 72 hours. The rule’s impact is global because it applies to any company, anywhere, that collects or processes the personal information of people located in the EU. And implementation is actually so complex that many companies are still working to put GDPR policies, procedures, and systems in place, even after this year’s deadline has come and gone.
A key GDPR provision is its high financial penalty for non-compliance: up to 4 percent of global annual revenue. Since the mid-2018 deadline for companies to implement GDPR, related complaints, enforcement actions, fines, and civil suits have been small-scale relative to expectations.
But the slow ramp-up shouldn’t be misinterpreted. Regulators think of it this way: For many companies, a small fine may not provide enough incentive to implement and sustain the costly privacy measures that GDPR requires. “This regulation prevents fines from being considered just a cost of doing business,” said Paola Zeni, Senior Director of Global Privacy for Palo Alto Networks. “When it’s that big, a fine can be an existential threat.”
As risky as that sounds, it’s not the end of the story. The growing number of GDPR look-alikes in other jurisdictions also differ from the EU version in ways that increase complexity and compliance risk, Zeni said. Consider, for example, if other U.S. states were to follow in California’s footsteps, each with its own twists. This is why some business leaders are calling for federal legislation.
Location, Location, Protection
Exactly where data is collected and handled is proving to be the source of issues ranging from GDPR compliance to digital trade barriers to third-party data management to post-Brexit data risk.
Take India, for example. Draft data protection legislation there would require at least one copy of data collected or processed in India to be stored in India – a policy known as data localization. For the many businesses worldwide that are served by the Indian business process outsourcing and software development industries, that could mean replicating and protecting data at two global centers instead of one. That’s costly. And some of the staunchest critics of the measure consider it a digital trade barrier.
China presents another big question mark in Asia. “China is in a state of flux,” according to Duca. Policies that have been floated there are still subject to change, he said. Even so, enforcement has at times been aggressive.
On the other side of the world, in the global financial capital of New York, the latest issue is third-party data risk. Strict new data privacy regulations have come into effect for any banks doing business there. And by March 2019, banks will become responsible for ensuring that their vendors, service providers, and other third parties adhere to the same standards, as well, under what the New York State Department of Financial Services calls its “first-in-the-nation cybersecurity regulation.”
On to the UK, where Brexit could disrupt data flows into and out of Europe – not just from British companies but from the many multinational corporations headquartered around London. A key question there is whether European regulators will consider the UK’s data protections adequate, once it exits from the European Union, Zeni said.
Consumer and Market Sentiments Sway Policy Outlook
While big fines and costly compliance budgets have clearly captured the attention of C-suite executives and board directors at companies around the world, so have consumer sentiments and stock market reactions to data breaches and election interference.
“Consumers have become more and more aware of the value of their information and the need to protect it,” Zeni said. “So, companies have realized that it’s very much in their interest to take a stance and show customers they are doing a good job at protecting data privacy.” At the same time, “the market has been very punishing,” she said, with large losses in market capitalization following headline-grabbing data breaches and congressional testimony on data privacy and integrity.
Here’s what isn’t going to happen in 2019: Many governments around the world will not be finished debating and developing their data privacy policies. Even if they were, companies’ compliance efforts will never be “one-and-done” exercises, but programs that will have to be sustained into the foreseeable future. Nor, in 2019, will digital innovation cease, which will keep regulators trapped in their perpetual game of catch-up with technology.