Andy Barratt, UK managing director at cybersecurity consultancy Coalfire, critques the United States’ current approach to data protection and asks if it should be following in Europe’s footsteps with a single, nationwide regulation.
By all accounts, 2018 was a landmark year for data control and privacy. More than one billion people were affected by data breaches and the beginning of enforcement of the General Data Protection Regulation (GPDR) in Europe was a defining moment for businesses and consumers alike.
Bringing more challenging standards and potentially crippling fines, GDPR’s impact in the regulatory space is the point at which all businesses need to start paying attention to the importance of data protection – if they aren’t already.
GDPR across the globe
The change in thinking that GDPR has stimulated is not confined to Europe. There has been a wave of updates and new regulations around the globe from nations looking to improve their own data protection standards and ensure that their companies are still able to do business in Europe and not become a target for EU regulators.
Japan and South Korea, for example, have both introduced new domestic data protection regulations that are in line with EU expectations. The significance of this for US businesses is that it’s no longer just Europe where a more relaxed approach to data privacy will be a barrier to entry.
Considering this, it’s no surprise that tech giants like Apple and Cisco are calling on the US government to introduce its own version of GDPR. But, while the US lacks a uniform regulation at the federal level, some individual states are already forging a path for a data protection law.
State of readiness
California for example, passed the California Consumer Privacy Act (CCPA) in June of last year – the first state-level bill with similarities to GDPR – and others have since followed suit, powering ahead where the federal government has been reluctant to act.
It’s easy to understand, particularly from a cultural perspective, why adding further federal oversight tends to cause concern for local State governance. But the current inconsistency between states makes it difficult to understand how businesses should invest in privacy and security.
One nationwide, standardised approach would likely make life much easier for businesses in the long-term, with a single set of requirements or principles allowing them the freedom to operate anywhere in the country without having to manage compliance and/or disclosure in each individual state.
Blueprint for success
This move towards a GDPR-type model of legislation would also bring the country in line with other parts of the world, like Europe, where standards are currently higher. Although there might be an initial compliance pain barrier, it would make global expansion easier for US businesses. They would already be compliant with a robust data protection regulation so international standards like GDPR wouldn’t pose an additional challenge.
Let’s not forget, the fines levied by GDPR are applicable to any company conducting business with EU citizens, US-based or otherwise. American companies would stand far less chance of incurring such fines if data protection law at home was comparable to that of Europe.
The true value of GDPR is that it obligates businesses to think about how they use data and be more responsible with it – a law that achieves the same outcome in the US can only be a positive thing.
About the author
Andy Barratt is a cybersecurity expert with almost 20 years’ experience working in IT infrastructure, information security and assurance services. Andy leads Coalfire’s UK and EU operations and is actively involved in supporting security compliance with a number of technology companies, software suppliers, payment processors, banks, and insurers.Coalfire is a specialist cyber security consultancy with headquarters in Denver, Colorado and Manchester, UK.
The post #Privacy: Should the US adopt its own version of the GDPR? appeared first on PrivSec Report.