The Digital Economy
As the countdown clock continues to speed toward the May 2018 imposition of the General Data Protection Regulation (GDPR) in Europe, many public and private sector leaders remain either oblivious or confounded by what may become the world’s most far-reaching privacy and information security standards.
GDPR sets out directives on data privacy and security, adopting a carrots and sticks approach to information security–the biggest stick being the EU’s ability to impose fines of up to 4% of global turnover or €20 million on firms that, in the judgement of regulators in Brussels, breach the new mandates or put the data of EU citizens at risk.
Today there is an array of inconsistent survey data regarding GDPR preparedness for both large corporate enterprises as well as small and medium-sized businesses that will be required to comply. Even among those companies that claim to be set for compliance, uncertainties will remain until EU auditors put the new regime into effect. In the face of ever-increasing technical cyber threats and potentially crushing fines, careful preparation for GDPR should be a significant agenda item for executives and board leaders of global businesses conducting commerce anywhere in the EU.
However, government leaders inside of and external to the EU should pay close attention to GDPR implementation as well. Will GDPR prove to be an example of regulatory overreach that will create a host of unintended consequences?
One primary concern is the likelihood that GDPR will create an information security arbitrage that will be deliberately exploited or inadvertently tripped as companies scramble to abide by these rules.
The concept of information security arbitrage, much like how financial or tax arbitrage opportunities emerge, is when data privacy and security standards follow the path of least resistance. For example, will global companies in the fear of losing a share of their worldwide revenues establish their base of operations and data centers in lax information security and privacy environments? Similarly, will companies no longer abide by cyber breach reporting requirements, that continue to labor under a culture of obfuscation and occlusion, as we saw with the now infamous Yahoo! breach? Executives must learn that bad information does not improve with time and GDPR ups the stakes substantially.
GDPR represents new privacy terrain for its ambition, particularly for the centrality of individual privacy and for putting the “right to be forgotten” at the forefront of 21st century cyber security regulations. Its principal challenge, however, is the lack of harmonization across major markets around the world, not least of which is the distinct gap between European privacy standards and the more laissez-faire US model. Some will argue that the punitive measures associated with GDPR are a de facto form of trade sanction,…
Click here to read more