GDPR has been in play for less than 24 hours and several lawsuits have already been filed in the EU against Facebook and Google claiming each is not abiding by the new privacy regulations.
Many websites have also gone dark in the EU, including the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun, because they're not GDPR compliant, according to the BBC. Whether or not such drastic action was truly required to protect a potentially non-compliant company is debatable said attorney Aaron Tantleff, a cyber-security and privacy partner with Foley & Lardner.
"While some of the companies going offline are most likely doing so because their business model depended, in some part, upon processing personal information in what would be in conflict with the GDPR (and perhaps in conflict with the former data directive), likely making them prime targets for early action and substantial fines, the majority of those going offline probably did not need to. Many of the companies going offline subjecting themselves to ridicule on the internet allowing the commentators to draw conclusions and labelling such companies as evil," he said.
The lawsuits hitting Facebook and Google were filed by Austrian lawyer Max Schrems who runs the NGO, None of Your Business, CNN has reported - and is known as the man who shot down Safe Harbour due to US corporations allowing US intelligence services access to Europeans' data. The suits were filed in French, German, Belgian and Austrian courts. CNN cited sources that said Facebook is already breaking the regulation by continuing to collect information political opinions, religious beliefs, ethnicity and sexuality without their users' permission and is doing so by pulling together disparate bits of data on its user page.
In an email to SC Media UK, Brian Vecci, technical evangelist at Varonis commented:
“It's not surprising that the big tech companies are the first to face problems now that the GDPR is in effect. They have the most data about the most people and their business depends on exploiting it—they were always going to get hit first and potentially hardest. What's interesting is that they're already being accused of ignoring the new regulation, when it seems clear to everyone paying attention that while they certainly might not be compliant, ignoring it is the last thing that the big tech companies have been doing, but that's not necessarily true of all of the other companies that collect and exploit consumer data and are now subject to the GDPR.
"As a society we dramatically underestimated the inherent value of our own personal data and what it reveals about us over months and years. The GDPR isn't going to kill their business model, but it is going to force them to finally treat our personal data as something that's valuable not only to them but to us as well.
"Many organisations have taken a wait-and-see approach to the GDPR, betting that they can fly under the radar for a while and save some money by not having to change much about how they secure this kind of data and keep it private (or fail to do so). That could end up proving more expensive in the long run, since while many companies aren't yet fully compliant, the ones that have taken clear steps will likely see far more lenient penalties for violations. The ones that actually are ignoring the GDPR and have done nothing will probably get hit the hardest."
"In our recent Global Data Risk Report, we found that 58 percent of companies have more than 100,000 folders open to everyone in the company, meaning that data is neither secure nor private. The big tech companies are in the spotlight right now but they're not the only ones who are going to have to face the music.”
Michael Aminzade, Trustwave's vice president of global compliance and risk servicesadds: “With its strict guidelines on how personal data is handled, the GDPR is poised to be the single greatest compliance event in decades and will be a wakeup call for businesses that are not prepared. Here's a tactical look at approaches to avoid those hefty fines that could be up to €20 million or four percent of a company's annual revenue, depending on whichever cost is higher for the non-compliant company to pay.”
The run-up to GDPR's implementation was also not without its problems, said Terry Ray, Imperva's CTO, noting that the website of the UK Information Commissioner Office (IOC), responsible for protecting information and privacy rights, crashed when thousands late requests for information poured in on 24 May, an act that was totally preventable with a little forethought.
“While predicting the volume of last-minute traffic to a website can be difficult upon go-live, there are solutions, particularly those in infrastructure and platform as a Service, that makes scaling web infrastructure to meet elastic demand readily available," said Ray. "This is how online retail and others meet demand in their peak seasons, yet scale back infrastructure the rest of the year when throughput is lower to save costs.”
The ICO site is now back up.
Even though the deadline has passed it's not too late for companies to become compliant and for those that are still in the process of getting their GDPR ducks in a row, the EU is expected to be lenient.
Russ Lowenthal, Oracle's director of product management for database security, said during an SC Media webcast that companies showing good faith toward implementing GDPR privacy standards will likely not get hit with the full force of the regulation if they are not yet compliant.
Anupam Sahai, Cavirin's vice president of product management, agreed, explaining that not even the regulators are prepared at this point to enforce full implementation.
“First off, this isn't like Y2K nearly two decades ago. Your systems won't suddenly stop working, and the EU regulators aren't going to be slapping you with a four percent fine anytime soon,” Sahai said.
For those companies that are well-behind the GDPR curve, Chris Morales, head of security analytics at Vectra, suggested several steps that can be taken immediately to begin to correct the problem.
“First, review all of your privacy notices and make sure they accurately reflect what your organisation is doing, are easily understood by users, and are not hidden deep inside other legal terms," he said. "Second, make sure you aren't collecting lots of data that would put you at risk on day one and you don't have a need for. Finally, verify that you are keeping records on what you are doing for GDPR in case a problem does arrive.”
In what he described as an antidote to the FUD around GDPR, Greg Day VP and CSO EMEA, Palo Alto Networks emailed to suggest that what we can expect when the dust settles saying: "While there's going to be pressure to show GDPR laws have teeth, don't expect organisations to be hit with fines immediately. The impact of GDPR enforcement is likely many months away . I suspect we won't see those examples of non-compliancy made right away. It takes time to investigate and define just how bad violations were.
"If we assume the worst – poor documentation, poor metrics and little legacy evidence – it's likely that assessments could take months; and this is before lawyers start to negotiate the end outcome, testing and setting the legal precedents and culpabilities of those involved. As such it may be much later in 2018 before we see the real impact of GDPR.
"Regulatory pressures for improved cyber-security aren't going to let up after May 25th. The going live of GDPR and the much less discussed NIS aren't the end of the story on how regulations that protect our digital lives will evolve. For example, there's more to come in the EU, with the draft Cyber-security Act and its proposed EU cyber-security certification framework, currently going through the European Parliament, plus the Electronic Communications Code, which will update regulations for Europe's telecom industry and includes security requirements for these companies, nearing final stages of negotiations in Brussels. Like GDPR, could these nascent regulations influence advances in cyber-security practices well beyond Europe? Only time will tell.”
Further stats are still being produced on GDPR with Big Data London ,which interviewed 500 large UK organisations, finding that:
- 26 percent of UK organisations have prioritised GDPR as the main regulation to address
- 56 percent of UK respondents felt their organisations were doing “reasonably well” at implementing data governance programmes
- 46 percent of UK businesses believed the Government was doing an excellent job educating organisations about GDPR