Risk //

Compliance

5/25/2018
01:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike - and what kind of organizations will be first to feel the sting of the EU privacy law.

Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union's General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?

There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states - similar to the US system. Different authorities have different priorities and different "appetites" for litigation or punitive action, he says.

They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesn't think there has been a connection between the size of authorities' resources and the size of their appetities - some of the smaller ones going after the biggest companies in the past - Dennedy maintains it could affect the number of organizations they investigate.

GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.

The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.   

If you've started your compliance process but aren't finished, you might not need to lose sleep. Yet. 

"I don't think regulators are necessarily trying to play 'gotcha,'" says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that don't have every control for every article in place yet, he says they're looking for "willful neglect" and "blatant disregard" for the law and its intent.

Dennedy agrees. "A good will effort [to comply] is worth a lot. ... You're definitely going to help limit your risk [of punitive action], and more importantly you're going to go a long way with your customers," she says.

Don't get too comfortable, though. The experts agree the enforcement actions - at least investigations - will come and come quickly. How quickly, and to whom? Here are the experts' best guesses: 

1. Individual Citizens (and 'Trolls') Press the Issue 

Individual citizens can also bring their civil cases against companies under GDPR, without waiting for the nation-state supervisory authorities to take the lead. Tene says that is another question mark for GDPR: what will individual complaints look like, and what impact will they have. 

The first volley has already been launched. Privacy group noyb.eu, led by activist Max Schrems, filed complaints against Facebook, Google, Instagram, and WhatsApp today. The companies are accused of forcing users to consent to targeted advertising to use the services, without being given a genuinely free choice.

"We are hearing from our advisors and customers, of increased occurrences of 'trolls' that are testing out GDPR readiness with customers," says 1touch.io CEO and co-founder Zak Rubinstein. "The first cases are likely to be the easiest to prove and will evolve around Data Subject Access Rights. This could take place as early as Q3 this year."

2. 'Shadier' Company Investigated Within a Week, or Sooner 

GDPR gets lots of attention for the how it can bloody an organization with fines of 200 million Euro of 4% of global annual revenue. However, like a shark, GDPR has other rows of teeth it can sink into an organization - like orders to stop data processing activity, for example - which could be even more devastating.

It's these other powers that IAPP's Tene thinks will be put to most use, particularly against "shadier" companies doing "unwholesome" things with individuals' private data. He gives Cambridge Analytica as an example as such an organization.

By issuing orders to stop data processing rather than simply leveling fines, Tene says, GDPR can "clear the ecosystem" of organizations that violate individuals' privacy. Fines may not accomplish the same. "Anti-trust enforcers have had powers to issue fines for years and we still scarcely see those," he notes. 

Tene says to expect a data protection authority to issue a complaint or begin an investigation against this sort of company within a week or two, maybe even within an hour of when GDPR enforcement goes into effect.

Michael Feiertag, CEO of tCell and former head of products at Okta, notes the same thing. Because there is so much abuse to choose from, the first companies to feel enforcement action  will be "smaller EU-based phone and email marketing firms using deceptive techniques to collect personal info from Germans and using it to peddle junk 'Free pretzel with your Viagra' offers," says Feiertag.

He expects authorities to "spend their first years racking up popular wins to build confidence in the new regulatory regime. They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines."

"The interesting wild card is whether the next Cambridge Analytica is discovered soon," says Feiertag. "If so, I expect an ambitious [supervisory authority] to use its audit powers to disrupt that company's ability to do business."

3. Local Precedent-Setters Ready Way for Multinational Giant 

"If I was a regulator, I'd be thinking 'well my staff hasn't quadrupled, but we have to have an impact,'" says Cisco's Dennedy. "So what I wouldn't do is ... have all of them go after an Amazon or a Google on Day One."

She expects that an authority might choose one multinational "headliner" to investigate and then a cluster of local organizations - focusing on those that handle children's data or pose public health/security risks, for example. 

CompliancePoint's Sparrow anticipates the same pattern, for another reason. Enforcing the regulations upon a local entity, where there are "clear uncomplicated lines of jurisdiction," he says, makes it easier to establish legal precedent.

"That sounds like perfect logic to me," says Tene. "Maybe a nice halibut before your Moby Dick." He notes, though, that these "halibuts" might actually be pretty big fish, locally. They might be household names in the region - major banks, healthcare facilities, or telecoms - but unknown internationally. 

4. A Tech Giant (Ahem, Facebook) Gets Audited Right Away

Experts do not think it will be too long before Moby Dick does get a call from the investigators, though.

"Within the next six months," an investigation will launch, if not an enforcement action, says Sparrow. "They're going to hit while they've got momentum. Facebook would likely be the top of the list."

"Facebook and Google will get the call," says tCell's Feiertag.

Feiertag expects that major marketing or technology companies will be given "spot checks" on their compliance efforts soon, but not in anticipation of large enforcement actions. 

"The vast majority of these organizations are attempting to comply with the the law" as they understand its meaning, he says. "The audits won't find much, but will begin to establish accepted practices and to ensure that the law continues to be followed." 

Sparrow, however, says, "I do think Facebook is a little at risk."

He noted that European regulators are "not afraid at all" to go after Silicon Valley tech giants, and that just this week Mark Zuckerberg told European Parliament in Brussels "We do expect [Facebook] to be fully compliant [with GDPR] on May 25th." Not just "materially compliant" but "fully" compliant" (and just two months after the Cambridge Analytica revelations, too). 

"That's a big assertion by Mark," says Sparrow, "and you could easily poke holes in that." 

5. Those With Lax Payment Card Security Will Be Given Just Enough Rope to Hang Themselves With

Payment card data continues to be a popular target with attackers - so companies that are reckless with payment card data will be high on GDPR enforcement authorities' priority lists, predicts Michael Aminzade, vice president of global compliance and risk services at Trustwave.

"I expect the first enforcement to come from an industry where payment card data is prevalent such as retail, hospitality, or online storefronts in a country where secure code development practices and technologies like EMV chip use is less mature," says Aminzade.

Aminzade doesn't expect the the authorities to be quick on the draw, however. His guess is that the first action won't happen for 12- to 24 months. "The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact." 

"The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road," he predicts. 

6. Changing the Way You Use Data

The first hits will come for the most obvious, most tangible offenses: passwords only where there's supposed to be multi-factor authentication, or an outdated privacy policy that doesn't pass muster. Eventually, though, GDPR will force fundamental changes to business models, experts say.

"There has been an inordinate amount of focus on the potential fines," says Dave Lewis, global security advocate at Akamai Technologies. "The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards."

Cisco's Dennedy says that many businesses have more data than they can safely secure, and are coming around to the idea that they just won't collect it in the first place. Business models were encouraged by the tenet that storage is cheap, but, she says, cheap storage isn't ultimately a good thing, because it enabled more waste and created uncurated, unstructured data. 

"It's kind of like that show 'Hoarders,' she says. "It's smelly in there."

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Ayo99
50%
50%
Ayo99,
User Rank: Apprentice
7/10/2018 | 4:46:41 AM
Re: stop data processing
luckly im not live in europe.. and my target market are asian
alise1208
50%
50%
alise1208,
User Rank: Apprentice
6/21/2018 | 6:05:27 AM
GSPR experience
When I was looking for any information about GDPR compliance, I came across many articles where companies described their experience in solving this issue. Here is one great post on Redwerk's blog https://redwerk.com/blog/turning-gdpr-compliance-redwerks-experience I think everyone can use this tips and implement in their company, as GDPR fines already come into force.
AnneJoiner
50%
50%
AnneJoiner,
User Rank: Apprentice
6/1/2018 | 6:57:12 AM
Re: Targeting Habitual Violators
that sound is good
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2018 | 10:46:51 PM
Re: Targeting Habitual Violators
@Ryan: I'm not so sure there will be a lot of companies going out of business here, but the UK's ICO (i.e., that nation's DPA responsible for enforcing GDPR there) is on record as saying that they will exercise the same restraint and discretion that they always have -- noting that, pre-GDPR, maximum fining power for their organization under then-present regulations was £500,000, and that they had never once fined anyone that maximum.
CleanShine
50%
50%
CleanShine,
User Rank: Apprentice
5/30/2018 | 3:34:56 PM
thanks
Good
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/30/2018 | 2:35:47 PM
Re: Ghostery
I am sorry for this but could not resist .....

They are giving these legal issues interesting names these days, Who's filing first, what is filing second and i don't know who is issuing the third filing.  WHAT?  i SAID WHO is filing first.  That's what I am trying to find out, WHO is filing first? Yes.  Yes? Precisely.  Oh, precisely is filing first - NO NOTHING OF THE KIND, WHO IS FILING FIRST..
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2018 | 2:38:26 AM
Ghostery
I think we already have an answer to the underlying question here: Ghostery.

The company was one of many to send GDPR contact emails -- but the person in charge of that task CC'd everyone instead of BCC'ing everying. The result was massive exposure of individuals' email addresses.

This was made public, and the company has indicated that it will self-report this data leak.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2018 | 3:07:13 PM
Re: Targeting Habitual Violators
However, I don't mind that GDPR enforcement is targeting a more draconian narrative and trying to remove habitual violators from the ecosystem. I would be ok with that too. Singling our the violators is the way to go I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2018 | 3:05:37 PM
Re: stop data processing
But to order the company to stop processing and in essense stop bringing in money to the organization will most definitely bring those bad practices to a halt. I would agree. We need to start somewhere and improve on it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2018 | 3:03:24 PM
Re: stop data processing
Most companies can more than survive fines that are given based on bad practices. That would be one of the concerns I have. That is still ok, fine could be increased at one point I would guess.
Page 1 / 2   >   >>
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.