Michael Osterman: On GDPR for the US

Michael Osterman: On GDPR for the US

GDPR: 6 Months In

Full Video Here: Osterman on GDPR

David Littman: Hi Dave Littman, Truth in IT, joined again by Michael Osterman Principal Analyst of Osterman research. Michael welcome.

 

Michael Osterman: Thank you very much David, a pleasure to be here today.

 

David Littman: Pleasure to have you. So let's talk a little bit about GDPR. We know that the deadline for complying has come and gone. But what does it mean now that we're sort of past six months after the implementation of the law.

 

Michael Osterman: Well GDPR is interesting because it really represents sort of the culmination of what Europe has been doing for many decades in terms of protecting privacy rights. And it is particularly interesting because it extends really around the world. Any organization that has data on European residents potentially is subject to GDPR. Now what's interesting is that the enforcement of GDPR has officially begun. But we really haven't seen any fines yet. So we don't know the extent to which the European Union is going to take a soft approach, if you will, and hand out fines very gradually or if by the end of the year there are going to be handing out some massive fines to companies like Facebook or Google that that have been accused of disseminating personal records and violating privacy obligations. So you know that really is the 64000 dollar question that that has yet to be answered. You know personally I think that the European Union is going to be making some examples of some fairly large American companies for their privacy rights violations so I would anticipate we'd see some pretty significant fines coming down the road.

What About GDPR for the US?

David Littman: Ok. Now we've recently seen in the news I think Tim Cook especially has been leading the charge about requesting a GDPR type of bill in the U.S. How realistic do you think the timeline is for something like that.

 

Michael Osterman: You know that's a great question. Given the current climate in Washington D.C. I would guess that there probably will not be a federal law. Some know like GDPR are in the near future. What we are seeing though is individual states taking up the costs. California, for example, with the California consumer privacy act or CCPOA, is going to be implementing this in in 2020 and they call it a sort of a GDPR-light because it handles a lot of the same types of provisions of GDPR. But it's not quite as draconian in terms of the fines and so forth. We see Colorado doing similar things and I think what we're going to find is that the American approach to GDPR is to do this on a state by state level. California started, for example, with the data breach notification requirements that eventually spread to all 50 states. Now from a corporate perspective it would be easier if the U.S. had a national law, something at the federal level, so that you complied with one requirement instead of 50 individual requirements. But my guess is that that's not going to happen. But we are seeing GDPR-like laws spread around the world. We're seeing them in Brazil and India, Australia and so forth and I think this is really picking up momentum and it's being driven largely by the privacy violations we've seen from major players that have been playing in some cases, fast and loose with personal data. 

Who Will GDPR Affect?

David Littman: And are you seeing any particular companies maybe just name a few that just sort of fall into the area of helping corporations comply.

 

Michael Osterman: Well certainly I think a lot of this is at the consultant level. There are a lot of GDPR consultants who can help organizations to get their house in order. And ultimately what GDPR is all about is really just good data or information governance. It's knowing where your data is located, being able to produce it on demand, being able to protect it, encrypt it, for example, when it needs to be encrypted defensively; defensively deleting it when it is no longer needed. Being able to to respond with things like subject access requests. And ultimately while GDPR really can be considered a pain from a corporate perspective if you get GDPR right, you have essentially implemented good information governance, and it's going to help you not only from a regulatory standpoint, but also from a legal standpoint if you ever have to go into court, for example, and present data in response to any discovery order. If you get if you've got your GDPR tools in your processes in place then you can handle e-discovery much more easily than a lot of companies can't today.

 

David Littman: Ok. Good advice. Well Michael thanks so much for taking the time to chat with us today.

 

Michael Osterman: It's been my pleasure Dave. Thank you so much.

 

David Littman: All right. Thank you for watching. We'll see you again. Check out our other videos here at Truth in IT.