As the countdown clock continues to speed toward the May 2018 imposition of the General Data Protection Regulation (GDPR) in Europe, many public and private sector leaders remain either oblivious or confounded by what may become the world’s most far-reaching privacy and information security standards.
GDPR sets out directives on data privacy and security, adopting a carrots and sticks approach to information security–the biggest stick being the EU’s ability to impose fines of up to 4% of global turnover or €20 million on firms that, in the judgement of regulators in Brussels, breach the new mandates or put the data of EU citizens at risk.
Today there is an array of inconsistent survey data regarding GDPR preparedness for both large corporate enterprises as well as small and medium-sized businesses that will be required to comply. Even among those companies that claim to be set for compliance, uncertainties will remain until EU auditors put the new regime into effect. In the face of ever-increasing technical cyber threats and potentially crushing fines, careful preparation for GDPR should be a significant agenda item for executives and board leaders of global businesses conducting commerce anywhere in the EU.
However, government leaders inside of and external to the EU should pay close attention to GDPR implementation as well. Will GDPR prove to be an example of regulatory overreach that will create a host of unintended consequences?
One primary concern is the likelihood that GDPR will create an information security arbitrage that will be deliberately exploited or inadvertently tripped as companies scramble to abide by these rules.
The concept of information security arbitrage, much like how financial or tax arbitrage opportunities emerge, is when data privacy and security standards follow the path of least resistance.