The Privacy Paradox: GDPR Compliance in the U.S.

Originally published in Venture Beat.

Figure this one out: Just shy of 100% of U.S.-based privacy professionals believe that the importance and complexity of managing privacy in their organizations is increasing.
Similar numbers (97%!) acknowledge that they will increase their investment in managing privacy.

Yet fully 61% of these same professionals acknowledge that they have done little to prepare for coming of the world’s biggest privacy regulation, the EU’s General Data Protection Regulation, or GDPR. What’s more, 99% admit to needing additional help in preparing for the GDPR.

Let me see if I’ve got this right, American privacy professionals: there’s a big old train heading our way (the GDPR express), due to come barreling into the station next May. Yet most of you haven’t yet done much to prepare, though nearly all of you admit you could use a hand?

Something’s not adding up for me.

Such was the data laid at the feet of the panel presentation I participated in at the TRUSTe (now TrustArc) PrivacyRisk conference in San Francisco on June 6, and it’s probably indicative of the state of American GDPR readiness that no one (myself included) expressed a whole lot of surprise.

Yeah, we know it’s a big deal, we know it’s going to cost a lot of money, and we know we’re a little behind in getting ready. But hey, we’ll get it done. That’s the American way.

GDPR in the USA

Just after the final panel, during which we reviewed this data and talked about all the work that was actually getting done, a European attendee expressed his astonishment at how seriously we Americans were treating the GDPR. The European stereotype that Americans just didn’t take privacy seriously just wasn’t true, he marveled.

In fact, it seemed that these crazy Americans were quite passionate about GDPR compliance, that they understood the major commitments it was going to take to changing policies, procedures, and reporting, and that they were determined to get it done (even if they were a little slow to get going).

It’s worth observing that Americans overall don’t tend to be overly fond of an overarching government calling the shots. Thus we have found ourselves with the government we deserve, one that seems utterly incapable of coming consensus on anything, let alone a regulatory framework for data protection.

But it’s also true those who are charged with making sure that the companies they help manage don’t get into regulatory trouble (as well as those who care deeply about companies behaving ethically toward consumers) have a deep hunger for clarity. And clarity is one thing the GDPR provides in spades. Since the American regulatory framework doesn’t provide much structure, we’ll happily adopt one from abroad (especially since it’s backed up with the as-yet-untested threat of big fines.)

We Welcome Our New EU Overlords

Most of the privacy professionals I know welcome the GDPR. They see its coming as a great opportunity for companies to regularize around a common set of standards and requirements.
After all, no company wants to manage multiple sets of requirements for the various domains they work in. It’s just simpler and more efficient to lock into a single standard. As long as their competitors must all do so too, there’s no competitive disadvantage.

These companies—the big global companies who loom large in the American business scene—will in turn pass along their alignment with the GDPR to all their suppliers, who will be asked to snap to the new requirements if they want to keep their contracts.

The More Things Change…

This is how American corporate culture changes, and it’s always been this way. Sure, American business has occasionally had practices dictated to it by politicians, in the form of early labor laws and food safety regulations, for example.

But for the most part, American business has self-regulated when it felts that it was in its best interests to do so. I believe that’s what we’re seeing happen with GDPR compliance. American businesses will adopt the protections for individual data that are embedded within the GDPR not because of some high-minded embrace of the universality of human rights to their own data, but because it’s good business to do so.

At one session at the conference, a vocal German attendee lamented that people should not be forced into accepting targeted advertising as the price to pay for free email. He insisted that email should be as “private” as the regular mail provided by the postal service, which everyone assumes is free from the surveillance of the USPS.

But, the American panelist replied, this service wasn’t a government-subsidized utility, but a commercial exchange. The individual accepted that allowing the email provider to scan the email to target advertising was the price that was paid for free, and what was wrong with that?

Their argument was inconclusive—but it was indicative of the very distinct way that American businesses would adopt GDPR standards of data protection into a culture that was still very different than that of Europe.

These are just some of the paradoxes of the American adoption of the GDPR: we know it’s coming and it’s going to be big, but we’re preparing at our own pace and we’ll fit it into our own cultural standards concerning the relationship between the individual, the corporation, and the state.

Should be a fun ride.

Need GDPR privacy awareness training to start your compliance journey ASAP? Check out our turn-key GDPR training packages

Share this Post

Learn More