GDPR Three Years Later: What Impact Has It Made?

Every affected business leader around the world was thrilled to finally secure full General Data Protection Regulation (GDPR) compliance by the May 25, 2018 enforcement deadline. For months—in some cases years—organizations worked diligently to make sure they covered all the bases to protect EU consumers’ data, as well as their own brand reputation and business interests.

Once the deadline came and went, so did the massive cascade of stories about the monumental and sweeping regulation. Three years later, many people may find themselves wondering how companies around the globe fared and what GDPR inspired in other countries and states.

The Global Impact of GDPR

GDPR has effected significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively. Companies everywhere have taken a closer look at their approach to consumer data privacy and security over the past three years.

On a global scale, GDPR legislation has pushed the topic of data privacy to the forefront. Now, three years out, more than 100 countries have put privacy standards in place. These include Japan, South Korea, Kenya, Argentina, Brazil, and Chile. For example, Canada added a Digital Charter to their Personal Information Processing and Electronic Documents Act (PIPEDA) addressing cookies and opt-out options. The Protection of Personal Information Act went into full effect in South Africa in July 2020. Australia’s Privacy Act has been on the books since 1988, but was recently amended to reflect GDPR regulations.

The Impact of GDPR on Regulations in America

Several state legislatures across the U.S. have stepped up to lead the path to data privacy. State regulatory bodies are introducing ambitious, far-reaching proposals to protect consumer data privacy. There are plenty of examples of this state-by-state movement for data privacy.

California

California was one of the first state legislatures to pass a large-scale, comprehensive privacy measure, mirroring the GDPR. In June 2018, just one month after GDPR’s deadline enforcement date, the California Consumer Privacy Act (CCPA) of 2018 passed.

The CCPA was proposed only a week before it passed, and it went through unanimously. In a rare and encouraging turn, the desire to protect constituents’ data trumped standard partisan gridlock. Set to come into effect in 2020, the CCPA focuses on consumer rights regarding data at its point of collection.

While California has led the states’ charge to data privacy and security laws, it is not the only state taking action. Learn more about how two other states are tackling this important matter effectively and on their own terms.

Vermont

In June 2018, Vermont passed its own Data Broker Law, making data brokers subject to registration and security requirements, as of January 1, 2019.

Within this law, there are three important points:

1. A broad statutory definition of a “data broker.” A data broker is an individual or business that collects and sells or licenses the brokered personal data of a consumer, even if there is no direct business relationship.
2. Reporting on data broker security breaches. The Vermont law lays out a specific definition of “data broker security breaches,” which is included in the annual registration. The definition here states that a data broker security breach is “an unauthorized acquisition, or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker.” Further, the data has not been encrypted—or made unreadable or unusable—by any unauthorized party.
3. An annual registration requirement for all data brokers in Vermont. Data brokers must register each year with the state of Vermont.

Colorado

While many other states are developing data privacy laws, Colorado has adopted an unprecedentedly strict consumer privacy law with the Colorado Consumer Protection Act (CCPA) to protect residents’ personal data. Colorado’s lawmakers have taken notes from at least 31 other U.S. states that have adopted heightened security measures to shepherd consumer data.

The CCPA mandates that any private company or public agency that stores personal data or Colorado residents must have a data protection policy. Under the policy, each organization must also have an efficient breach notification system. Further, the business must also have the ability to destroy the data once it is no longer needed.

All businesses, regardless of size, must comply with the CCPA, as long as that business has customers in Colorado. The business can be located anywhere. It only matters that the business has customers residing in the state.

Although the CCPA is a huge move toward unrivaled data security in the U.S., the Colorado legislature has stayed busy working to tighten measures. Lawmakers in Colorado passed the Protections for Consumer Data Privacy (PCDP), known as House Bill 18-1128, which went into effect on September 1, 2018. This landmark piece of legislation has set forth tighter notification requirements. The CCPA has also set the new standard for developing and maintaining effective information security measures to protect personal data assets.

Nevada

Under Nevada law, enacted in 2015, personal information, when combined with an individual’s name, must be encrypted to protect individuals’ privacy. This law applies to companies that own or license data of Nevada residents.

Massachusetts

The Commonwealth of Massachusetts has the strictest data protection laws of any state. The standards require that any entity that owns or licenses personal information about a resident of Massachusetts must develop, implement and maintain a full information security program.

Related article: Addressing the Need for Nationwide Data Privacy Laws.

What Are U.S. Political Leaders Doing to Develop Data Privacy Laws at the National Level?

In the summer of 2018, immediately following the May 2018 GDPR enforcement deadline date, data security plans in the U.S. were already underway. Democratic Senator Mark Warner went to task, developing a list of policy options for national legislation regarding data privacy and security, according to The Hill. The Senator recommended a “comprehensive GDPR-like data protection legislation.”

Here are a few key points made in the document proposing U.S. national privacy law.

1. The U.S. may adopt requirements and rules that resemble those of the GDPR, which include:
   • Data portability,
   • 72-hour data breach notification,
   • The right to be forgotten,
   • First-party consent and other data protections.
2. Additionally, business processes handling personal data must use pseudonymisation or full anonymization.
3. Many other national leaders are seeking data regulation to protect U.S. consumers.

How Are Data Leaders Managing GDPR Requirements?

The most diligent CISOs and CDOs continue to do their best to keep everything running smoothly as an ongoing responsibility, along with any additional duties they need to manage. The fact is that no one ever thought achieving and maintaining compliance for this regulation was going to be simple. It was brimming with complex challenges from the start. CISOs consider it one of the most pressing data-related topics for at least the past few years.

Here are two key strategies that CISOs find most effective in maintaining compliance.

1. Charging one team member with the role of Data Protection Officer (DPO) to oversee efforts.
2. Ensuring their employees are on board with GDPR compliance through internal awareness campaigns, training, and sharing best practices.

Is Your State Making Strides in Data Privacy Legislation?

State and national lawmakers show no sign of slowing down efforts to write and enact new legislation to protect consumer data. Several other states are definitely hot on the heels of states like these.

Where is your state in the effort? Are you facing new legislation with which you must comply to protect your customers and your business’s brand? Our team at I.S. Partners can help you stay up to speed on where your state is, regarding data security and privacy laws. We can also help to ensure you are fully compliant.

Call us at 215-631-3452 or request a quote to learn more about U.S. data privacy laws.

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.