Withdrawing from Europe because of GDPR is short-sighted, Ventiv warns, because other jurisdictions are coming up with similar rules
Companies withdrawing from the UK and European markets because they do not have a grip on compliance with the new General Data Protection Regulation (GDPR) are making a “short-sighted” strategic blunder.
This is because countries around the globe are implementing their own privacy legislation in the image of GPDR in Europe. If they shut themselves out of Europe, they might as well shut themselves out of China and California, too.
That was the word from Scott Wilson, chief information security officer and data privacy officer at Ventiv Technology, a risk management and insurance software vendor. “It is short-sighted. And if they’re shutting down business for GDPR, it probably means they’re worried about increased enforcement and they’re not compliant with the existing regime,” he said.
Companies risk shutting themselves off from several big markets, out of fear of privacy laws, Wilson warned. “In California right now there’s a new Consumer Privacy Act, which is very much a GDPR-style piece of state legislation. And there are more and more examples of [US] states bridging the gap where the federal government is not seen to be addressing privacy regulation,” he said.
There are new laws to protect citizens’ privacy rights coming into play in China and Russia, too. “If you do business in China, it’s very easy to find yourself in violation of their privacy laws. China has strict demands on access, and their data protection authorities can demand to see everything. Russia is concerned with the privacy rights of its citizens, believe it or not. They’ve identified LinkedIn as a potential privacy threat, for example,” Wilson added.
Online gaming firm WarPortal.com announced it would withdraw its services from European consumers. Other companies behind the curve on privacy policies and fearing non-compliance with GDPR may follow suit. Consent issues for children’s privacy is a concern under GDPR, that has raised the minimum age for using services such as the WhatsApp messaging service in Europe, for example, he notes.
What is clear is that authorities are increasingly demanding to see what data are stored and enforcing privacy regimes in ways reminiscent of historical busts of firms for fraud or other financial crime.
New York’s cyber security laws can be seen as the equivalent of previous generations of regulation, such as Sarbanes-Oxley, he suggested. That piece of US federal law was brought in nearly two decades ago, following the spectacular frauds at Enron and WorldCom.
The search warrant executed by the UK Information Commissioner’s Office on Cambridge Analytica was a particularly visible example of a new generation of muscular enforcement of data privacy regimes globally.
“You can’t hide behind the curtain any more. The regulators are demanding access to data and systems. The ICO didn’t send across a compliance questionnaire – they went on site to seize data,” said Wilson.
The noise from Brussels suggests that the EU will be keen to make examples of GDPR offenders. “They’re going to enforce it. If you can’t display good data governance, then you’re going to get hit. That means companies will be taking a much more conservative approach to reporting breaches going forward,” Wilson warned.
Take the recent example of Twitter, which sent emails to its users, following its discovery of a breach of its security, fearing this might have been exploited by cyber thieves and criminals. “They went ahead and informed everyone openly, and that’s probably the best approach from a GDPR perspective,” Wilson added.