I recently spoke at a small business event, and I asked for a show of hands for those governed by various common data privacy regulations (PCI, HIPAA, etc.). I saw giant smiles on the faces of those not raising their hands—a sense of relief for having avoided the extra discipline and effort that compliance requires. My advice to that relieved group: pick a data security regulation anyway—any one of them—and follow it.
With the GDPR deadline just days away, a lot of organizations in the U.S. are feeling like those lucky few small business owners, thrilled that they don’t fall under the new GDPR regulations. My advice: follow it anyway. Here’s why:
The U.S. will copy elements of GDPR—sooner than you think
The U.S. tends to follow rather than lead when it comes to data privacy regulations. If history repeats itself, U.S. regulators will follow the tenets of GDPR—and likely enhance it (read: make requirements more specific and stricter) based on how GDPR enforcements shake out in the coming months and years. By starting the process of achieving compliance today—before deadlines rush timelines—U.S. companies can take the time to make smart decisions, build future-proof strategies and spread the costs out over time.
U.S. consumers want GDPR-level privacy
We’re seeing a big change in public awareness of data privacy. Everyday people—not just data security pros and regulators—are tuning into the details of what data companies collect about them, and how that personal data is used. As consumers, we’re becoming aware of all the new and terrifying ways our privacy is up for sale. The headline example of this is the Facebook/Cambridge Analytica case. There’s huge value in showing your customers that you go above and beyond, and GDPR is centered on concepts that customers understand and love: consent and the “right to be forgotten.” Moreover, you definitely don’t want to look like you’re taking the easy way out at the expense of your customers’ privacy.
GDPR is good business practice
In board rooms around the country, CEOs are getting grilled on data privacy and data security. No company wants the same embarrassment, fines and costly brand damage that Facebook is enduring. The basic tenets of GDPR—privacy by design, privacy by default, etc.—aren’t really revolutionary. They’re now just best practice for any digital business.
Proactively adopting the tenets of GDPR forces a solution to the fact that most companies don’t have the data visibility needed to understand and implement next-generation data privacy. You need to consider all the vectors within your digital ecosystem—look at all the endpoints floating around your world, instead of just your networks and servers. And you can’t treat all data the same way. You have to be able to recognize your most valuable and sensitive data—and see where it lives and how it moves.
Of course, proactively going above and beyond to secure customer data is a big challenge, to say the least. But, I recently saw something on TV that looked like a much bigger hassle: Testifying in front of Congress.
It’s Time to Rethink DLP