Anyone who attended this year's RSA Conference in San Francisco can attest to the prominent portion of mindshare that security and privacy practitioners were devoting at that time to the European Union's General Data Protection Regulation (GDPR), which went into effect last month.
GDPR, which at its essence gives consumers the final say on how their data is handled, has been a long time coming. It's a far-reaching consumer-protection measure that's been years in the making and which goes well beyond anything the U.S. has imposed on the companies that collect consumer data. That fact alone makes it no surprise that even in Europe, where calls for such protections have been loud and consistent, FUD gripped large numbers of companies as the deadline for compliance approached.
As it turned out, that fear, uncertainty and doubt was well founded, as the opening days of GDPR enforcement were predictably chaotic. In a recent blog post, Econsultancy reporter Patricio Robles detailed a number of early impacts GDPR has already had. From complaints against tech giants Google and Facebook to a sudden dip in programmatic ad buying and in some extreme cases, the cutting off of EU ads and users entirely, GDPR has made its impact quickly felt.
It doesn't take a whole lot of imagination to predict where this is all going. With violators of GDPR facing fines of up to four percent of their revenue, we can expect to see some serious watch-dogging. When billions of dollars are at stake, people tend to pay very close attention.
Naturally, tech providers are only too happy to develop tools that will help companies stay on top of GDPR. One of the most prominent examples is IBM's new Guardium Analyzer product, which basically searches through a company's data to look for sensitive information that might run it afoul of GDPR.
The market for such tools figures to be explosive as companies come to the inevitable realization that they lack the resources and clear understanding of GDPR to comply with all of its provisions effectively, and they begin turning to outside help. It's not unlike the run up to Y2K, when companies shelled over big bucks at the last minute to help them get through all the needed date changes and avoid being victimized by the catastrophic event that never came. Only with GDPR, the potential implications aren't unknown and theoretical; they're quite the opposite, in fact.
With all of this hand-wringing about compliance and possible penalties, its easy to forget to consider GDPR's big-picture impact. To begin with, there's the little matter of being a groundbreaking act intended to empower consumers who've grown weary of their data being batted around like a beach ball, a commodity used to alternately sell to us at every possible opportunity, or to steal our identities for financial gain. Europe has long had much more stringent privacy protections than the U.S. and GDPR ups the ante significantly.
Then there are less obvious impacts, such as the potential of GDPR to spur innovation in how data is used, and thus how it powers artificial intelligence applications. Put simply, GDPR will force companies to get a lot more intimate with their data. They'll have to scrub it more thoroughly, make it portable via digitization and in general get a clearer picture of what they have. That will, in turn, ramp up their abilities to create AI applications or to use AI tools that can make use of data that's been effectively labeled, classified and modeled.
But where the impact of GDPR may be most felt, especially in the U.S., is in the area of cyber security policy. In a recent piece from CSO Online, Isaac Kohen, CEO of Teramind, which offers an employee monitoring and threat detection platform, argued that GDPR is likely to empower U.S. consumers to ask for similar protections, especially as the high-profile breaches continue to pile up.
With each breach, the media will highlight the differences between GDPR and protection measures here, and the questions are likely to grow louder and more persistent: Why are we not in charge of our own data? Why should we let large corporations make decisions about how and when we can access our information, or, for that matter, who else can access it?
In the meantime, while out-and-out change of ownership (from corporation to individual) is unlikely, Kohen expects there to be movement in areas such as notification and transparency, or toward de-identifying data by essentially decoupling it from the consumer it describes.
However one chooses to look at it, GDPR may be a seminal moment for consumer data privacy. If the regulation proves effective, is regularly enforced, or spurs similar consumer protections to be adopted in other parts of the world, it will have had an impact far beyond the European consumers it's designed to protect. It could very well prove to be a model for empowering consumers to take back control of their most personal and private information.
The really frustrating thing is, that's how it should have been all along. Better late than never.