Last May, the European Union’s General Data Protection Regulation (GDPR) went into effect, created to give consumers more control over how their data could be used by large companies.
Shortly after the GDPR took effect, California approved a new regulation that will be going into effect starting January 1, 2020.
In many regards, the California Consumer Privacy Act is very similar to the GDPR, explained Lev Lesokhin, EVP of strategy and analytics at CAST Software. The new law will provide California residents with the right to control data that companies collect about them. It will enable you, as a consumer, to set limits on how a company can use your personal data.
The GDPR imposes a four percent fine on all revenue or €20 million (whichever is greater) for violators, while the California law opens up the ability to sue companies that don’t comply, he explained. He believes that the penalty for violating the California law is actually less stringent that the fine for the GDPR. “How much can an individual really sue you for letting the data be breached or letting the data be used without their consent? It’s probably not going to be anything close to four percent of revenue, at least for big companies.”
Lesokhin believes that the new law will have a compounding effect when paired with the GDPR. “GDPR seems far away, but for any technology company with any kind of global ambitions, Europe is a big market. The same would be said of California. That’s a big market as well, so even if GDPR didn’t exist, most companies would have to pay attention.”
Even though the new law technically only protects Californians, the rest of the United States will likely experience the same benefits as someone living in California. Implementing the functionality required by the law is going to take a lot of effort, and it would take even more effort to have to implement functionality that acts differently on California residents versus anyone else, Lesokhin explained.
Prior to the GDPR going into effect, data governance company erwin released a study that revealed that only 6 percent of organizations felt that they were prepared for the upcoming regulation. Several big tech companies are already under investigation for violating the GDPR, such as Twitter, Fortune has reported.
“We’ve seen a lot of our European customers take a much more proactive stance to it than U.S. companies,” said Lesokhin. “When the law came into effect in May, I think a lot of companies here just started to wake up to the fact that this is real for them. And so we’ve seen some of the preps that you have to do and it can actually be pretty intense.”
Lesokhin explained that it is harder for organizations with legacy systems to comply with these types of regulations. Newer tech companies with newer technologies can leapfrog off their competitors and build to the regulations, giving them an advantage. But for older organizations, they will have more to consider. They will need to look into their systems and determine how their applications manage that data, as well as all of the touch points of that data so that they can make sure the data is compliant. “That process of actually mapping out the flow of your data through all of your systems can be pretty complex and we’ve seen that first hand,” said Lesokhin.
“I think one thing that’s clear here is that there’s more of a premium now being placed on how data access and data handling is being architected in software,” he said.