6 Actions That Made GDPR Real in 2019
In the wake of recent fines levied against British Airways, Marriott, and Facebook, companies are starting to take data privacy and security more seriously.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt37597394910ff926/64f0d3ea1a9f4327b3ed07f4/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
2019 may well be remembered as the year GDPR got real.
To be sure, July alone has been hopping, with hundreds of millions in fines and settlements being doled out in both the US and UK for violation of the European Union-issued General Data Protection Regulation, which went into effect May 25, 2018.
"I think as of now it's clear that GDPR is not an empty suit," says Nader Henein, a senior director analyst at Gartner who focuses on data privacy. "I think the regulators really want to see companies handling personal information more carefully. A lot of organizations were sitting on the fence, but I think these fines are starting to have an impact. A lot of multinationals are paying more attention."
Yet fines can't do it alone, adds Matt Radolec, head of security architecture and incident response at Varonis. Real change, he says, must come from all three parties: regulators, complaints and questions from consumers, and guidance from security practitioners.
"Let's build realistic security guidelines that are actionable and specific," Radolec says, pointing out that the Risk Management Framework (RMF) developed during the Obama years were very effective in raising awareness.
Here are six GDPR-related actions, in chronological order, that have turned heads during the first part of this year.
At least eight tech firms were named in a complaint filed by the privacy group NOYB (None Of Your Business) for allegedly violating the EU's GDPR regulations. Max Schrems, who chairs NOYB, said none of the companies fully complied with GDPR. While many organizations set up automated systems to respond to access requests, he says, they often don't remotely provide the data that users have a right to see. That can cause structural violations of users' rights because these systems are designed to withhold relevant information, he adds. Companies named in the complaint, which was filed in Austria on behalf of 10 users, include Apple, Amazon, Netflix, Spotify, and YouTube.
CNBC reported the news on January 18.
The French were the first to levy a major GDPR fine against a US tech company in January, hitting Google with a $57 million penalty. The fine was made by the Commission Nationale de l'Informatique (CNI), which said Google did not fully disclose how it gathers and uses the personal information of its users. CNI also said Google did not secure the proper consent from users to provide them with personalized ads.
Dark Reading reported the news on January 21.
Momentum on fines picked up this month as British authorities levied a $229 million fine against British Airways. The UK's Information Commissioner's Office (ICO) said it intended to levy the penalty for the company's security failings, which led to a half-million customers' information being harvested by a fraudulent site. The UK's information commissioner also warned that other companies could face similar penalties unless they better protect the information of UK citizens.
Dark Reading reported the news on July 8.
The day after the British Airways fine, the UK's ICO also said it planned to fine Marriott International up to $124 million for GDPR violations. The fine was in response to the massive Starwood Hotels breach that allegedly affected more than 500 million guests around the world. Marriott indicated it would cooperate with the investigation, and the ICO said after a hearing by Marriott and other interested parties it will determine a final fine.
Dark Reading reported the news on July 9.
2019 may well be remembered as the year GDPR got real.
To be sure, July alone has been hopping, with hundreds of millions in fines and settlements being doled out in both the US and UK for violation of the European Union-issued General Data Protection Regulation, which went into effect May 25, 2018.
"I think as of now it's clear that GDPR is not an empty suit," says Nader Henein, a senior director analyst at Gartner who focuses on data privacy. "I think the regulators really want to see companies handling personal information more carefully. A lot of organizations were sitting on the fence, but I think these fines are starting to have an impact. A lot of multinationals are paying more attention."
Yet fines can't do it alone, adds Matt Radolec, head of security architecture and incident response at Varonis. Real change, he says, must come from all three parties: regulators, complaints and questions from consumers, and guidance from security practitioners.
"Let's build realistic security guidelines that are actionable and specific," Radolec says, pointing out that the Risk Management Framework (RMF) developed during the Obama years were very effective in raising awareness.
Here are six GDPR-related actions, in chronological order, that have turned heads during the first part of this year.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024