Shifting how businesses think about privacy.
Why has the GDPR affected such a change? There are two clear and overlapping reasons. The first is that the GDPR introduced many U.S. businesses to a comprehensive data privacy regime with teeth. U.S. data privacy law is notoriously sector-specific and fragmented. There are divided opinions on whether this is a virtue or a vice, but the bottom line is that organizations in heavily-regulated industries, like health care, have had to meet a different set of regulatory expectations in handling and protecting personal information than have other kinds of businesses. But the GDPR has made much more universal the reach of robust data privacy compliance rules, requiring a number of businesses for the first time to consider the complexities of their data flows. Understanding something as basic as what data is collected and where it goes is fundamental to being able to comply with the heart of the GDPR: effectuating individual data privacy rights, which in the EU (in contrast to the U.S.) are thought of and treated as human rights.
The second reason is that other legal regimes are following suit, and businesses can see the obvious trend toward clearly-defined data privacy rights zealously enforced. Brazil, for example, passed a comprehensive data privacy regulation similar in many respects to the GDPR, which becomes effective in 2020. Japan, in order to make data flow between it and the EU easier (since the GDPR has restrictive cross-border data transfer rules), recently passed rules increasing protections relating to data transfers and entered into a reciprocal data-transfer arrangement with the EU.
And in the U.S., California passed a comprehensive law (the California Consumer Privacy Act, or CCPA) that goes into effect in 2020, also defining clear data privacy rights similar to the GDPR. (We have written and talked about the CCPA extensively elsewhere.) While the CCPA is alone among states for now, it will not be alone for long. New York and Washington recently tried (and failed) to pass similar laws, and states like Massachusetts have such laws winding through their legislatures. California has long been a trend-setter when it comes to data privacy; it is poised to continue in that role.
The practical importance of privacy policies.
Toward effective data governance.
In other words, thinking about data privacy is thinking top to bottom, inside and out, internally and externally, about a wide-ranging set of practices and risks that increasingly have more to do with how a company holistically operates than simply what document a company puts on its website. And as more laws look more like the GDPR, the importance of engaging in, and maintaining, these data governance practices will increase and, we might all reasonably expect, become ubiquitous.