The mandates put in place last year through the European Union's General Data Protection Regulation provide an opportunity for companies to leverage their compliance efforts to better understand their customers, improve their data security posture, and prepare for any privacy regulations that may follow in the US, data protection experts say.
During a panel discussion on the future of data protection at the recent RSA conference, Trevor Hughes, president and CEO of the International Association of Privacy Professionals, noted that GDPR was the driver of a major increase in interest in privacy compliance, and APP membership doubled in 20 months as companies sought to prepare for GDPR, he said. "That growth is a result of this issue exploding," he said.
Kalinda Raina, senior director and head of global privacy at LinkedIn, said GDPR was "fundamental in shifting the conversation about privacy, not just in the EU but here in the US as well." Since GDPR went into effect last May, regulators have received more inquiries and data breach reports have grown to all-time highs, she said.
Companies that have invested significant resources are increasingly finding that the benefits from those investments go beyond mere compliance with regulatory benefits to offer a range of other benefits.
"The interesting thing that I've found is that it started out probably like many other companies. Workstreams that addressed the different tranches of it. Every tranche had to be attended to," said Ruby Zefo, chief privacy officer at Uber. But once the preparations were in place and it was a "mature program," we "stopped labelling it as GDPR,” she said.
"I think of it more as wanting to understand the customer, having a good platform," Zefo said. "That changed the lens and how we looked at it. GDPR is spreading its wings now, and it's covering more territory." Zefo added that GDPR requirements can be used to provide "principled base" for a program in addressing customer needs.
LinkedIn already had established a privacy program, Raina said. "What we used GDPR as an opportunity for was to help the company understand that that data privacy is not just a legal issue,” she said. “It's not just something that sits with the lawyers. It's something that everybody has a responsibility for."
Part of that is "privacy by design," building appropriate privacy protections into new products and services as they are deployed, Raina said. Another issue is thinking about ways that LinkedIn can eliminate some of the data that it has gathered, she added.
Another key provision of the GDPR gives consumers the rights to access all of the data companies have about them. "You really have to have a mapping of all your data across the company," Raina said. Leading up to the GDPR, many companies had to figure out the inventory of data they collected and how to maintain that inventory. "This is a right that's coming to California as well," she said. "This is something we're all going to have to be thinking about."
Raina added that data mapping required for GDPR purposes also provides useful information for information security professionals in their risk mapping. "Privacy and security have really come together, and there are overlapping benefits," she said. "The relationship of the CISO [chief information security officer] and the CPO [chief privacy officer] have really come together more than ever before."
The GDPR's "right to be forgotten" provisions are a different story, however, as it is less certain that such an approach will be duplicated in the US. Americans look at the issue through a "different lens," with a focus on First Amendment rights, Zefo said.
"The challenge geographically is difficult because not everyone thinks it's a good thing," she said. "Technologically, it also can be difficult. I'm not sure how you claw back data that's gotten into the wild."
Brian Hammond is technology news editor at SmartBrief. He was previously managing editor at Telecommunications Reports International, a Washington-based publisher slate of news and research products for telecom insiders, including Telecommunications Reports, TRDaily, and Cybersecurity Policy Report. Brian has a B.A. from the University of Virginia and an MBA from Virginia Commonwealth University.