Well, GDPR is not scaring anyone. In fact, it’s a lawyer’s dream come true. It’s becoming quite clear Europe and the U.S. are attacking GDPR compliance problems from different angles. In Europe, the compliance budget covers lawyering up, whereas the on the other side of the pond, the Americans are using their compliance budgets to solve the problems with automated solutions. Which is the opposite if what we’d expect given the litigious nature in the U.S. It seems the worm has turned.
I’m thinking that this swing is due to the practical implications of the very similar, yet different legislation. Let’s look at GDPR – non-compliance results in a fine of 4% of the annual revenue (or €20m, whichever is greater). How? Well the ICO imposes fines on a case by case basis, with fines being discretionary, not mandatory. That doesn’t really benefit Johnny Public, does it? In the U.S., non-compliance (with CCPA for example) results in a consumer (yes, Johnny Public) suing the company for $750. Simple, straight forward and completely comprehensible to the individual.
It really doesn’t matter that GDPR can apply sanctions where it is believed a company is at risk of breach, and that CCPA kick in only after a breach, because once again that’s a detail that does not bother Johnny Public. So in Europe, they attack the problem with lawyers, because at minimum it’s a €20m problem, where in the U.S. they attack the root of the problem and find or create technologies that will help solve the problem of discovery of personally identifiable information (PII), because it’s much bigger than a €20m problem.