March 31, 2021
Written by
Gary LaFever
Can GDPR / Schrems II Required Technology Turn Data Protection Compliance Cost Centers Into Lawful Data Use Profit Centers? LinkedIn Logo

Can GDPR / Schrems II Required Technology Turn Data Protection Compliance Cost Centers Into Lawful Data Use Profit Centers?

A recent webinar hosted by leading regulatory intelligence firm, Vixio, raised intriguing questions about whether GDPR compliance requirements (as highlighted in the Schrems II case) for protecting data when in use lays the groundwork for complying with the different states privacy and consumer rights laws being adopted in the U.S. The webinar also introduced an interesting conversation around whether these controls can act as mechanisms for turning cost centers into lawful profit centers.

The following are highlights from the "Preparing for U.S. Data Privacy Laws - Future-Proofing Your Business" webinar hosted by Vixio Regulatory Intelligence:

1. Global Locations Do Not Determine Data Obligations

Sylwester Frazzoni, Editorial Director at Vixio Regulatory Intelligence

Sylwester highlighted that starting in January, Vixio has begun preparing insight reports on what is happening in the U.S. privacy law market and how these developments translate into European companies' compliance obligations. He pointed out that international obligations transcend where companies are headquartered. Evolving U.S. state laws require European companies to comply if they process specified thresholds of data covered by the laws, regardless of where they are located.

Laws like the California Consumer Privacy Act (CCPA), its successor the California Privacy Rights Act (CPRA), the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA), the recently enacted Virginia Consumer Data Protection Act ("VCDPA"), and other pending state laws will require European companies to comply with a range of requirements regardless of where the companies are physically located.

2. More U.S. State Privacy Laws Are Expected in 2021

Nora Gebhardt, Journalist at Vixio Regulatory Intelligence

Nora highlighted that state lawmakers have sent a clear message that they intend to establish consumer data protection rights. 2021 may well see state privacy laws passed in Washington and Oklahoma, with other states evaluating privacy laws. 

3. New Technical Controls Enable Lawful Global Data Objectives

Gary LaFever, CEO & GC at Anonos Lawful Borderless Data

Gary discussed how investments in GDPR compliance could help European companies address compliance with non-EU data protection laws, such as U.S. state privacy laws and other data protection laws that come into force around the globe. More importantly, Gary focused on the ability of GDPR requirements – as reinforced in the recent Schrems II ruling – to protect data when in use to help ensure predictability of operations and ongoing benefits from advanced secondary processing leveraging cloud-based Analytics, Artificial Intelligence (AI) and Machine Learning (ML).

Gary highlighted that the technology controls clarified in Schrems II as required for enforcing GDPR requirements can turn data protection compliance cost centers into revenue-generating lawful data use profit centers.

4. The Virginia Privacy Law is More GDPR-Like Than California Law

Glenn Brown, Of Counsel at Squire Patton Boggs

Glenn noted several differences between the recent Virginia Privacy Law and the California Privacy Laws, some positive and negative. One benefit of the Virginia Privacy Law is the opportunity for companies to take advantage of a 30 day cure period which does not exist under the California Laws.

When asked for suggestions on how companies can comply with the disparate requirements of different U.S. state laws, he highlighted the trend of laws becoming more GDPR-like and the importance of overarching data governance and data management as the keys to enabling companies to comply.

5. Digital Obligations Without Boundaries/Privacy is a Brand Value

Jill Reber, General Manager of Data Privacy at Logic 20/20

Jill noted that digital data has no geographical limitations, and that data privacy regulations are not limited to consumers and clients. She pointed out that consumers pay attention to how companies are using their data and reevaluating their relationship with the businesses that fail to use it responsibly.

Jill noted that many technology trends underlying digital transformation, like smart devices and personalization, create tensions between (i) privacy and personalization, (ii) between privacy and connectivity, and (iii) between privacy and Analytics, AI and machine learning.

In closing, Jill highlighted that doing an excellent job on your data privacy program can improve return on investment by improving customer experience while streamlining internal processes. This can enable you to understand customers, leading to faster decisions and cost savings. Most importantly, you're building trust with your customers, which leads to customer loyalty and competitive advantage because your brand is valuable. Privacy is a brand value; brands depend on trust, and trust is increasingly about data handling practices. So, businesses who are thinking about their brand trust in this way will have a competitive advantage over those who do not.


Data is global and regulation is evolving to reflect this, making it more difficult for international organisations to pass the compliance threshold. The demand for GDPR/Schrems II compliant technology is growing, and the above discussion between industry-leading experts demonstrates the potential for an exciting secondary benefit to investment in this area, which would see the transition of data protection compliance cost centers into lawful data use profit centers - an exciting move for the industry.

>>Click here to access excerpted video highlights from Gary LaFever’s webinar presentation. 

>> Click here to access the full video of the Vixio Regulatory Intelligence webinar “Preparing for U.S. Data Privacy Laws - Future Proofing Your Business.”

Other Resources:

Brief Your Board To Avoid Disruption Under Schrems II

The Board Risk Assessment Framework is now available to view and download at

Join the Schrems II Linkedin Group with over 4,800 of your colleagues:

Are you Schrems II Compliant Quiz (in 2 questions):

This article originally appeared in Linkedin. All trademarks are the property of their respective owners. All rights reserved by the respective owners.