As it was debated, passed and enacted, many observers used lofty terms to characterize the European Union’s General Data Protection Regulation (GDPR): “historic,” “landmark,” “game-changing.” With the GDPR turning five years old this month, it’s fair to say these descriptions are not hyperbolic. The GDPR has had sizable, lasting effects on privacy regulation, risk and corporate best practices globally (opens a new window) — including in the United States.
Regulation leveling up
Privacy protection laws existed in the U.S. well before the GDPR took effect on May 25, 2018. To date, however, no comprehensive national privacy protection regulation is in place.
Instead, organizations that collect and use data have traditionally faced a patchwork of federal and state regulations and common law. For example, the federal Fair Credit Reporting Act and Health Insurance Portability and Accountability Act, address consumer credit and protected health information (PHI), respectively. Various state laws have also address privacy invasions, such as Illinois’ Biometric Information Privacy Act (BIPA), which governs the collection and use of fingerprints and other personal identifiers.
For U.S.-based companies, some of which are subject to the GDPR, the new European standard represented a major step forward for privacy regulation. That’s because it considered the protection of an individual’s personal data in its totality and imposed compliance obligations extraterritorially.
Since the GDPR was enacted, many U.S. states have followed in the E.U.’s footsteps. Today, comprehensive privacy laws are in effect in California and Virginia, with similar laws set to take effect in Colorado and Connecticut on July 1, 2023; in Utah on Dec. 31, 2023; in Iowa in 2025; and in Indiana in 2026. As of May 5, legislation passed in Montana and Tennessee was with those states’ governors for signature, while 15 states’ legislatures are considering their own comprehensive privacy bills (opens a new window), according to the International Association of Privacy Professionals.
In addition to these comprehensive laws — many of which have been inspired by the GDPR — several states continue to enact more specific laws. Washington’s My Health, My Data Act, which more strictly protects and regulates the use of Washingtonian’s PHI, will take effect in 2024. Maine, meanwhile, is considering a biometric privacy law modeled on Illinois’ BIPA.
Privacy-forward mindsets
This evolving regulatory framework has driven a change in corporate mindsets. Mindful of the potential for litigation, regulatory action and reputational damage in the event they violate the GDPR and/or various state laws, U.S.-based organizations have sought in recent years to better understand and monitor their collection, use, storage and transfer of data.
As regulatory activity continues to evolve, organizations should continue to focus on:
Building robust data compliance teams that understand their obligations under various federal and state regulations, as well as their international obligations;
Conducting data mapping and classification exercises to obtain a clear view of the types of data being collected and/or processed, how that data flows into and out of their organizations, and the data’s sensitivity levels; and
Being transparent about their collection, use, storage and sharing of data, including making appropriate and required disclosures.
The greater focus on privacy regulations has also grabbed the attention of insurers, which are starting to more closely scrutinize privacy risks. Underwriters are asking insurance buyers more questions about their use of data, as well as policies, procedures, and controls to protect that data.
This is the first in a series of articles to be published on lockton.com about the GDPR’s legacy five years after its enactment. Read more about what the regulation has meant for U.K-based businesses (opens a new window), and look for our next installment, which will examine the GDPR’s implications for the insurance industry.
For more information on the privacy and cyber risk management, contact a member of your Lockton team or cyber@lockton.com (opens a new window).