GDPR has sent the privacy and records management into a tizzy since May of this year. Although the new regulation offers a plethora of protections for European residents, its effects reach much further than the European Union. From Australia to the US, Germany to Egypt—any company holding PII on a European resident is affected and must comply.
In doing so, affected companies must attain full data oversight and control. The procedures implemented to do this will also change how multinational organizations understand and interact with US resident data. For instance, many companies will gain new visibility into US resident PII once systems necessary to fulfill subject access requests (SARs) are in place. While the US government, in contrast with the EU, has few stringent privacy requirements, US companies will still be affected by GDPR’s stringent data management requirements.
Taking a Step Back: GDPR vs US Regulation
Europe and the United States traditionally take very different approaches to personal privacy, harkening back to WWII. The primary difference centers on the primacy of personal rights versus public interest. US regulation typically favors public interest by allowing more governmental insight into personal data and through greater allowances towards what businesses can do with personal data.
Most US privacy regulations exist at the state level (i.e. Colorado and California), and federal ones typically cover incredibly targeted facets of personal privacy. Many US laws provide guidelines which contradict other directives and do not get enforced. This causes a lack of accountability and allows companies to continue selling and using consumer data as if no regulation existed at all.
GDPR, in contrast, demonstrates the EU’s dedication to far-reaching and comprehensive privacy legislation. While many member states have existing privacy legislation, the primacy of GDPR means that each state must meet a certain standard that protects all residents’ personal right to their data.
GDPR and the US Consumer
As I have stated before, GDPR does—and will continue to—affect US consumers and the way their data is managed. US consumers do not, however, have the same rights to their data as their European counterparts.
In essence, complying with GDPR forces companies to attain full oversight of their data, but the advantages of this increased oversight need only be applied to EU residents. GDPR only prohibits companies from selling EU member data to other companies, for instance, but that doesn’t mean those same companies can’t sell US consumer data for profit.
The Future of Data Privacy
In the short term, US consumers may benefit from the standardization of global privacy rules stemming from corporate convenience rather than government oversight. In the long term, however, GDPR may be the catalyst for global change and adoption of stringent privacy regulations. As more consumers see the value of privacy (especially given recent scandals such as Cambridge Analytica), consumers globally are pushing for better privacy regulations.
As people realize how much information companies have on them and how serious the repercussions of data misuse are, I predict they will put pressure on lawmakers to implement stricter laws with punitive repercussions. The US may adopt stricter rules to comply with pressure on its own, or there may be a unified global change for privacy changes. But change will happen.
The Here and Now
For now, we can assume that our data will still be used and sold by companies. We can take a closer look at privacy policies we sign, and we can be hopeful that things will change in the future. Thanks to GDPR, companies may already have a governance solution in place and will have fewer changes to account for if a new regulation comes into effect. In a perfect world, this will make the change smoother and faster, and we can rest assured few companies have access to our SSN, address, photos, search and shopping history... And those that do? They’ll have our consent.