Here is part two of HighQ’s interview with Steve Cosentino, a legal expert with three decades of experience in technology and compliance. You can read part one of the interview here for insights on client trends and regulatory technology.

As a lawyer specializing in technology, Steve Cosentino has a unique, two-way perspective on the sector. He is a partner at Stinson Leonard Street, a firm based in Kansas City, Mo., where he offers data security and regulatory compliance expertise to clients in the technology sector. Cosentino also tracks trends and uses new technologies to better deliver services to those clients, so there is no doubt he knows the landscape inside and out.

In the second half of our interview, we talked about hot topics like regulating financial market disruptors, hurdles to consistent compliance, and the impact of GDPR on US businesses.

HighQ: Artificial intelligence, blockchain and FinTech have the potential to be major disruptors of financial markets. What sort of pressures does this present to global regulators in terms of assuring that the right frameworks are in place to protect the changing dynamics of the markets?

SC: In this regard, I see the biggest issue to tackle is not so much the technology itself. Regulators have to be able to understand and adapt to new technologies, see where the weaknesses and potential threats to consumers are, and be able to react. That takes time and expertise, and regulators largely have the resources to be able to engage that expertise. Even though the process may be a little slow, they will get there eventually—it just has to be a faster track than they're probably used to.

HighQ: Aside from GDPR, which we’ll talk about next, are there other regulatory initiatives or changes to existing regulations that worry your clients the most?

SC: Data security is an area that has received so much attention in recent years. And it's always a question of when, not if.

One of the biggest problems for companies is uncertainty and multijurisdictional differences. A lot of companies operate online; they're dealing with consumers in different states. And we have threats to consumers that are unfolding on a daily basis. But state and local authorities can be quicker to act than the federal government, because the process just takes longer at the federal level. So what that creates is a hodgepodge of laws that place a huge compliance burden on small and midsized companies.

The uncertainty that results from multiple regulations attempting to address the same issue, but coming from different jurisdictions, causes real problems for companies in determining how to attack their overall compliance strategy.

HighQ: Speaking of data security, business surveys over recent months have painted a mixed picture of US firms’ confidence in being ready for GDPR. How concerned are you with the capacity of businesses to meet GDPR compliance?

SC: In my experience, companies generally fall into two categories:

The first are companies that know they have significant data collection going on from EU data subjects, or maybe they have some operations in the EU. Most of these companies have been on top of GDPR since 2016 and should be largely ready for May of this year.

For most companies in the first category, there's going to be a good, solid base level of compliance that I think they'll be comfortable with. But a lot of it will evolve. So, the pain there is that you can probably spend a lot of money, time and resources putting together this compliance program, but the fact is that you're going to have to continually update it and change it as the individual member states start to take action and enforcement begins. It could be a real problem.

The second category of companies have no real operations or employees in the EU, but they have some limited or incidental data collection going on. That might be a company that sells products online on their website, and they don't have a huge market in the EU, but every once in a while, someone orders something and you get their information and have to comply.

So, for the companies in the second category, many haven't even thought about GDPR applying to them. Or they've just started the process and are asking themselves, “What are we going to do?”

For those companies, the EU is going to have plenty to deal with larger, data-heavy companies. So we may see that their enforcement efforts continue to go after big-name targets. Enforcement risk might be fairly low for these organizations, but it's not zero. Take this issue seriously, and try to get a high-level GDPR compliance program in place at the very least.

HighQ: From your point of view, what should business leaders be focused on from a business governance perspective? For larger companies, you believe they are mostly prepared for it— or as well as they can be. But are there any additional things that you think they need to address going forward?

SC: Probably the biggest issue for a larger operation with significant data is to invest some time, people, and resources in the process of understanding all of the touchpoints and source locations for personal data. Most US companies are just not geared to do that. They take on different components of data collection and storage and transfer data on a piecemeal basis, and don't necessarily tie all those things together.

When you look at enforcement decisions on privacy in the US, regulators will primarily take slam-dunk cases where a company promises in their privacy policy to only do “x and y” with your data, and then we find out that they do “z” with your data. That can be largely prevented by having a great process in place for understanding where all the data is, and all the touchpoints. That can be a significant undertaking, but it'll pay off. And for GDPR, it's a necessity and requirement.

Good data mapping, data protection impact assessments, and adopting the concepts of privacy-by-design and privacy-by-default are going to play a big role in US companies. You've really got to change the philosophy of the company at a high level to be able to get those two pieces in play.

Most companies operate the other way around. They build a project to achieve a marketing, operational, or sales goal and then not have the project reviewed at the end for privacy and data security issues. I'm often the last one to be involved, and then the clock's ticking. The process is like, “Alright, everything's put together, we want to launch this, let's get this little privacy component dealt with.” And you can't do it that way with GDPR. It has to be an up-front discussion.

HighQ: You mentioned how GDPR is influencing organizations. To what extent do you think GDPR will influence US policymakers in evolving the data privacy standards?

SC: I mentioned earlier that we lack a comprehensive US general privacy law. And I can't really articulate all the reasons for that. We've got significant privacy laws in regulated industries such as healthcare, banking and financial services. But we don't just have a general privacy law.

The combination of GDPR and what's going on with Facebook is going to create huge pressure for a national general privacy law. What will be different here in the US is that the need for that likely will come from two different directions. You're going to have consumer groups and privacy groups that will be advocates, and they will want to see a GDPR-style regime. And then you're going to see the e-commerce, marketing, online, tech industry companies skeptical about comprehensive US privacy regulation that will hamper innovation and speed to market. However, ultimately, they will benefit from a single US law that preempts state laws and perhaps limits private causes of action. There is room for a middle ground on this issue.

So as lobbying efforts start to unfold, it will be pretty intense. And I just don't see the US ever adopting a full, GDPR-style privacy effort that has all of the same requirements. Because in the US, we value convenience, while the EU, as a whole, is much more privacy-focused.

If you start adding major steps to conducting different transactions online or in apps, you’ll make the process more difficult because you're so focused on privacy issues. I don't think there's as much tolerance for that here in the US.

So we're probably always going to have to deal with model contract clauses, privacy shields and those sorts of things to be able to address that issue.

____

Regulation is complex. As data privacy and data regulation continue to move to the forefront of the public consciousness, businesses must be proactive in protecting their clients and customers. Smart investments in secure technologies and expert counsel will pay off in the long run.