5 Years into GDPR: Back to the Drawing Board on Data Privacy?

Late last month marked the five-year anniversary of European Union General Data Protection Regulation (GDPR), providing a unique moment for leaders across both the public and private sector to take a much-needed pulse check on this landmark piece of legislation, asking themselves: What’s working? What isn’t? And how can we use these lessons learned to help prepare for what’s next? This becomes particularly relevant against the backdrop of the recent $1.3 billion fine imposed on Meta for breach of conditions for US-EU data transfers in the GDPR -- the largest ever to-date.

In many respects, the GDPR has been successful in protecting consumer privacy by setting clear guardrails for how businesses should protect data coming to and from the European Union. The 261-page document has been hailed by many as one of the most robust data governance, data management and data transparency regulations in history. And yet, despite the seemingly clear-cut and unambiguous nature of its language, an estimated 94% of American companies are still ill-equipped to comply with GDPR nearly half a decade later. Perhaps even more concerning, 50% of American companies that acknowledged a need to comply with GDPR did not provide a mechanism for customers to exercise their data privacy rights -- leaving those purported to benefit from this legislation without the means to do so.

As we take time to reflect on the effectiveness of GDPR as a global data privacy roadmap, it’s clear that clarity and comprehensiveness can only get you so far without accountability. Now, as US states begin pressure testing their own GDPR-style regulations -- with California’s Consumer Privacy Act being the most notable example -- we have an opportunity to imagine a US alternative of GDPR that improves upon this game-changing piece of legislation by encouraging participation from the private sector -- not disincentivizing it.

Here are a few key insights for US regulators considering implementing GDPR-style legislation on its five-year anniversary.

Be Prescriptive

To date, one of the clearest challenges of the GDPR has been that there is no prescriptive way for business leaders to achieve compliance. On the contrary, the language is strictly performance-based, meaning that while the mandated outcomes of GDPR are clear (e.g., ensuring user data doesn’t fall into the wrong hands), the ways to get there are generalized and largely seen as “up to the company.” Unfortunately, as the rate of data breaches rises, by 7% in Q1 2023 alone, this laissez faire approach has left many companies up a river, without a paddle -- scrambling to provide oversight in a rapidly changing data privacy landscape.

Should the US adopt its own GDPR counterpart, it will be critical that the legislation provide clear, prescriptive guidance that can help companies -- particularly small-l to medium-sized businesses -- protect user data. The Payment Card Industry Data Security Standard (PCI DSS) is one example of how this type of model can work, mandating the same processes across the entire industry so that there is little room for misunderstanding when it comes to securing cardholder data. What’s more, participating companies are audited annually, allowing regulators to ensure that their credit management practices are continuing to evolve to meet the needs of the modern day. Our data privacy standards must follow suit, or we risk creating roadmaps that no one can use effectively.

Promote Data Free Flow Without Trust

Much of the real estate in GDPR is spent defining what “trust” means in a data privacy environment, when it should be doing the opposite. In fact, an important lesson that we should have learned five or 10 years ago is that data privacy must be established with the least amount of trust possible, implementing auditable, technical controls that underpin every aspect of global business. GDPR is only the beginning, and it will be incumbent on companies to implement these processes today to ensure they’re adequately prepared for regulations that lie around the corner tomorrow.

Thankfully, business leaders don’t necessarily need to protect every single piece of data in their purview to prepare for compliant cross-border data transfers. Rather, companies can remain in compliance simply by being more discerning about protecting what they need -- and releasing what they don’t. Cutting-edge techniques such as data pseudonymization can be incredibly beneficial in this effort, separating identifiable information from the data itself so it can be shared more securely. In a recent ruling, the EU General Court held that sharing of pseudonymized data is not considered disclosure of personal data as the individuals concerned are not identifiable by the recipient of the data.

Using such techniques means even the biggest multinationals can continue scaling without being overwhelmed by the sheer amount of consumer information at their disposal. Imagine if our regulatory frameworks enabled these practices, moving away from restrictive “catch all” policies to unlock agility in an otherwise restrictive data privacy environment.

Final Thoughts:

We have learned so much in the five years since the GDPR was first enacted. This landmark piece of legislation has forever changed how companies manage and protect their data. And yet, despite all its benefits, the GDPR has also enforced antiquated policies that have stifled innovation, economic growth and have overlooked the many technologies that are transforming data privacy for the better. It’s time that we adapt to this new normal, galvanizing action from the public and private sector to pioneer the next five years of safe, efficient, and global data sharing.