Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/29/2019
10:30 AM
Daniel Barber
Daniel Barber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Rear-View Look at GDPR: Compliance Has No Brakes

With a year of Europe's General Data Protection Regulation under our belt, what have we learned?

There is no denying the impact of the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. We were all witness — or victim — to the flurry of updated privacy policy emails and cookie consent banners that descended upon us. It was such a zeitgeist moment that "we've updated our privacy policy" became a punchline.

Pragmatically, the GDPR will serve as a catalyst for a new wave of privacy regulations worldwide — as we have already seen with the California Consumer Privacy Act (CCPA) and an approaching wave of state-level regulation from Washington, Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

GDPR has been a boon for technology vendors and legal counsel: A PricewaterhouseCoopers survey indicates that GDPR budgets have topped $10 million for 40% of respondents. A majority of businesses are realizing that there are benefits to remediation beyond compliance, according to a survey by Deloitte. CSOs are happy to use privacy regulations as evidence in support of stronger data protection, CIOs can rethink the way they architect their data, and CMOs can build stronger bonds of trust with their customers.

But it is not a rose-tinted vision for everyone. GDPR fines are no paper tiger. France levied a stunning $57 million fine against Google for its GDPR violations. Even Ireland, long-viewed as a technology safe haven, has experienced a 100% increase in privacy complaints since May 25, 2018.

The complexity of GDPR has caused some unintended side effects. According to Jeff South, a journalism professor at Virginia Commonwealth University, writing for Nieman Lab, nearly a third of the largest US news sites chose to block access to the EU because of the GDPR, as they struggled to implement compliance solutions. A lot of companies have been struggling with GDPR compliance in the past year, and many continue to do so. I speak with them regularly. Here, I share a few of the lessons I've learned from them below.

Compliance Is a Journey, Not a Destination
One frequent complaint is the unexpected ongoing costs for sustained compliance, even after the initial stand-up costs. Anecdotally, we all recognize the effort that companies put into updating their privacy policies and consent management banners before May 25, 2018. But this sort of compliance is only step one: readiness.

Sustained compliance is much more difficult to achieve. Dynamic business systems require new processes that evolve with the changing legal landscape; the volume of manual work involved is often overlooked.

The source of this challenge is often marketing. Consider the depth and breadth of modern marketing solutions, as illustrated by this Luma Partners marketing map, is only the tip of the iceberg. It is not uncommon for a Fortune 500 company to have more than 100 of these solutions, each storing personal data, and operating independently of each other. What happens when a data subject exercises his or her right to be deleted from these systems?

Privacy policies and cookie banners are incapable of processing data subject access requests. It takes an entire team of professionals, each assigned as owners of specific systems, to ensure a requester's data is deleted. And it isn't enough to simply delete the data from the service (a soft delete); these teams often need to email their processors to ensure this data is deleted from their subprocessors as well (a hard delete). Not only is this a tedious manual process (and expensive if your privacy professionals are lawyers), but like any manual process it is also error prone. If Amazon, which last year failed to disclose when a customer's Alexa recordings were accidentally sent to a complete stranger, is not safe from these errors, who is?

The Map Is Not the Territory
Data inventories and data maps serve as the underlying foundation to process privacy requests, informing privacy teams of which systems contain personal data and where. But again, it is a tedious manual process to develop these data inventories. Many privacy management solutions still rely on manual surveys to determine who owns the data, the purpose of its collection, what type of data it is, and so forth.

And the reality is that these static data maps are just a snapshot. As quickly as they are created, they can become outdated. To sustain compliance, companies need a process to update these data inventories as new systems are purchased.

You Can Run from GDPR, but You Can't Hide from CCPA
There were a lot of companies that were able to ignore GDPR compliance. Domestic businesses or chain stores often had no need to comply. Others changed their business model, such as those news sites that blocked access to the EU. And still others took a wait-and-see approach. But the reality is that GDPR is just the beginning — the deadline for the California Consumer Privacy Act is less than nine months away, January 1, 2020 — and there are many other states considering similar privacy laws. If there is a lesson we have learned from one year of GDPR, it is that companies need to start planning for privacy regulations today because it can take up to a year to fully prepare. In the words of Ruby Zefo, Uber's chief privacy officer, GDPR compliance is like raising a baby: "Whether you think it is attractive or not is up to you, but you still need to take care of it."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Daniel Barber is CEO & co-founder, DataGrail, where he drives the strategic vision and overall management of its privacy management solution. The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and a worldwide trend toward privacy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.