Figure this one out: Just shy of 100 percent of U.S.-based privacy professionals believe the importance and complexity of managing privacy in their organizations is increasing.

Similar numbers (97 percent!) acknowledge they will increase their investment in managing privacy. Yet fully 61 percent of these same professionals acknowledge they have done little to prepare for the coming of the world’s biggest privacy regulation, the EU’s General Data Protection Regulation, or GDPR. What’s more, 99 percent admit to needing additional help in preparing for the GDPR.

Let me see if I’ve got this right, American privacy professionals: There’s a big old train heading our way (the GDPR express), due to come barreling into the station next May, and most of you haven’t yet done much to prepare. Yet nearly all of you admit you could use a hand? Something’s not adding up.

Such was the data laid at the feet of the panel presentation I participated in at the TRUSTe (now TrustArc) PrivacyRisk conference in San Francisco on June 6, and it’s probably indicative of the state of American GDPR readiness that no one (myself included) expressed a whole lot of surprise. Yeah, we know it’s a big deal, we know it’s going to cost a lot of money, and we know we’re a little behind in getting ready. But hey, we’ll get it done. That’s the American way.

GDPR in the USA

Just after the final panel, during which we reviewed this data and talked about all the work that was actually getting done, a European attendee expressed his astonishment at how seriously we Americans were treating the GDPR. The European stereotype that Americans just didn’t take privacy seriously just wasn’t true, he marveled. In fact, it seemed that these crazy Americans were quite passionate about GDPR compliance, that they understood the major commitments it was going to take to changing policies, procedures, and reporting, and that they were determined to get it done (even if they were a little slow to get going).

It’s worth observing that Americans overall don’t tend to be overly fond of an overarching government calling the shots. Thus we have found ourselves with the government we deserve, one that seems utterly incapable of coming to consensus on anything, let alone a regulatory framework for data protection.

But it’s also true those who are charged with making sure the companies they help manage don’t get into regulatory trouble (as well as those who care deeply about companies behaving ethically toward consumers) have a deep hunger for clarity. And clarity is one thing the GDPR provides in spades. Since the American regulatory framework doesn’t provide much structure, we’ll happily adopt one from abroad (especially since it’s backed up with the as-yet-untested threat of big fines.)

We welcome our new EU overlords

Most of the privacy professionals I know welcome the GDPR. They see its coming as a great opportunity for companies to regularize around a common set of standards and requirements. After all, no company wants to manage multiple sets of requirements for the various domains they work in. It’s just simpler and more efficient to lock into a single standard. As long as their competitors must all do so too, there’s no competitive disadvantage. These companies — the big global companies that loom large in the American business scene — will in turn pass along their alignment with the GDPR to all their suppliers, who will be asked to snap to the new requirements if they want to keep their contracts.

The more things change …

This is how American corporate culture changes, and it’s always been this way. Sure, American business has occasionally had practices dictated to it by politicians — in the form of early labor laws and food safety regulations, for example.

But for the most part, American business has self-regulated when it felt it was in its best interests to do so. I believe that’s what we’re seeing happen with GDPR compliance. American businesses will adopt the protections for individual data that are embedded within the GDPR not because of some high-minded embrace of the universality of an individual’s rights to their own data, but because it’s good business to do so.

At one session at the conference, a vocal German attendee lamented that people should not be forced into accepting targeted advertising as the price to pay for free email. He insisted email should be as “private” as the regular mail provided by the postal service, which everyone assumes is free from the surveillance of the USPS.

But, the American panelist replied, this service wasn’t a government-subsidized utility but a commercial exchange and that users accepted that allowing the email provider to scan the email to target advertising was the price that was paid for free, and what was wrong with that? Their argument was inconclusive — but it was indicative of the very distinct way that American businesses would adopt GDPR standards of data protection into a culture that is still very different from that of Europe.

These are just some of the paradoxes of the American adoption of the GDPR: We know it’s coming and it’s going to be big, but we’re preparing at our own pace, and we’ll fit it into our own cultural standards. Should be a fun ride.

Tom Pendergast is chief architect of MediaPro’s Adaptive Awareness Framework, a vision of how to analyze, plan, train, and reinforce to build a comprehensive awareness program. He is the author or editor of 26 books and reference collections.

