Should America Follow the GDPR Lead?

Data security around PII is a major issue and many people are calling for a GDPR equivalent to strengthen their consumer rights in North America.

Following high-profile cyberattacks such as WannaCry and Mark Zuckerberg apologizing for Facebook’s “breach of trust,” more Americans than ever are thinking about their data privacy.

At the same time, the EU’s General Data Protection Regulation (GDPR) came into effect last May. The main focus of the GDPR is to give EU citizens greater control over how organizations collect and handle their data. The regulations also require businesses to report data breaches of personally identifiable information (PII) that affect people’s rights and freedoms within 72 hours.

The GDPR already applies to companies globally that process customer PIIs who live in the European Union. However, many people are calling for a GDPR equivalent in North America to strengthen their consumer rights.

Against this background, could the United States and the rest of the world soon have its own GDPR equivalent? What are the founding principles of any new laws likely to be? And what can your business do to prepare now?


Most American data privacy laws are currently based on the Federal Trade Commission’s fair information practice principles (FIPPs). Although the FIPPs recommend that companies tell customers about their data practices, it does not provide a stringent unifying law that regulates the collection and use of customer data across the entire country. At the same time, separate state and local government laws often contradict the FIPPs, making federal law more difficult to enforce.

Likened to the GDPR, the California Consumer Privacy Act (CCPA) is considered to be the toughest data privacy law in the United States to date. When the law goes into effect Jan. 1, 2020, the CCPA will allow Californians to access and delete the data companies collect and hold about them. It will also enable customers to tell businesses that they don’t want them to sell their data on to third parties.

At present, a federal law as momentous as the CCPA hasn’t emerged. But with California being the home of Silicon Valley and some of the biggest tech companies in the world, many commentators are predicting the forthcoming state law will be the catalyst for a new, wider-ranging federal law.

Data Protection by Design is Likely to be the Future

When it comes, privacy by design (PbD) is likely to form the basis of a North American GDPR. A fundamental part of Europe’s GDPR, PbD refers to the practice of embedding privacy into every organizational process and system.

As concerns around privacy continue to increase, good data security and compliance breeds trust. For this reason, prioritizing PbD right now can help your business get ahead of future changes in federal law while strengthening customer relationships.

What can your business do to build privacy by design now?

An old application design and development strategy that has been used to help meet the modern challenge of data security, PbD embodies seven core ideas:

  1. Privacy must be proactive, not reactive: Effective PbD anticipates data risks and puts measures in place to prevent breaches before they occur.
  2. Privacy must be the default setting: All processes and systems need to protect privacy automatically. Customers shouldn’t have to act to secure their privacy and organizations must always ask for consent before collecting data.
  3. Privacy must be embedded in every process: During the development of processes and systems, privacy must be a core function of the design, not something added as an afterthought.
  4. Privacy integrations must offer full functionality: Customers should never have to make the choice between functionality and privacy protection. They should have full access to all features without having to give up more of their personal information.
  5. Systems and processes must offer end-to-end security: Businesses that collect data must ensure the data is safe and secure for as long as they have it. This means building strong data minimization, retention and deletion processes.
  6. Privacy standards must offer visibility and transparency: As a data controller and processor, businesses must be fully accountable for the information they gather. This means customers must be able to check that the business adheres to its privacy policies and all processes must stand up to external scrutiny.
  7. Privacy must be user-centric: It must be simple for customers to enact their privacy rights. Consequently, user-friendly consent options, clear notification of changes to privacy policies and easy-to-follow settings are a crucial component of PbD.

Concluding Thoughts

Data security—and, therefore, PII—is a major issue, and every business that handles personal data is under the microscope. Aware of how companies use their data, customers are demanding more robust and transparent laws. The CCPA looks like it could provide the impetus to create a weightier federal law. In the meantime, though, developing privacy controls and following good data security practices will protect customers, breed trust and prepare for a future in which PbD is a legal requirement.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Simon Hall

Simon Hall

Simon Hall, is the Head of IT Securities at Vonage. He has more than 20 years of experience in IT and IP securities. Focusing on people, Simon leads high functioning teams whose innovation and thought leadership extends beyond just Information Security and into the business itself. In 2017 Simon joined NewVoiceMedia to lead Technology Security Operations in the scope of GDPR among other responsibilities. After NewVoiceMedia joined forces with Vonage in late 2018, Simon continues to lead the IT security team. Prior to that he was with Vodafone serving as the head of cyber security manager and GDPR on-boarding authority.

simon-hall has 1 posts and counting.See all posts by simon-hall