Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/29/2019
10:30 AM
Daniel Barber
Daniel Barber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Rear-View Look at GDPR: Compliance Has No Brakes

With a year of Europe's General Data Protection Regulation under our belt, what have we learned?

There is no denying the impact of the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. We were all witness — or victim — to the flurry of updated privacy policy emails and cookie consent banners that descended upon us. It was such a zeitgeist moment that "we've updated our privacy policy" became a punchline.

Pragmatically, the GDPR will serve as a catalyst for a new wave of privacy regulations worldwide — as we have already seen with the California Consumer Privacy Act (CCPA) and an approaching wave of state-level regulation from Washington, Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

GDPR has been a boon for technology vendors and legal counsel: A PricewaterhouseCoopers survey indicates that GDPR budgets have topped $10 million for 40% of respondents. A majority of businesses are realizing that there are benefits to remediation beyond compliance, according to a survey by Deloitte. CSOs are happy to use privacy regulations as evidence in support of stronger data protection, CIOs can rethink the way they architect their data, and CMOs can build stronger bonds of trust with their customers.

But it is not a rose-tinted vision for everyone. GDPR fines are no paper tiger. France levied a stunning $57 million fine against Google for its GDPR violations. Even Ireland, long-viewed as a technology safe haven, has experienced a 100% increase in privacy complaints since May 25, 2018.

The complexity of GDPR has caused some unintended side effects. According to Jeff South, a journalism professor at Virginia Commonwealth University, writing for Nieman Lab, nearly a third of the largest US news sites chose to block access to the EU because of the GDPR, as they struggled to implement compliance solutions. A lot of companies have been struggling with GDPR compliance in the past year, and many continue to do so. I speak with them regularly. Here, I share a few of the lessons I've learned from them below.

Compliance Is a Journey, Not a Destination
One frequent complaint is the unexpected ongoing costs for sustained compliance, even after the initial stand-up costs. Anecdotally, we all recognize the effort that companies put into updating their privacy policies and consent management banners before May 25, 2018. But this sort of compliance is only step one: readiness.

Sustained compliance is much more difficult to achieve. Dynamic business systems require new processes that evolve with the changing legal landscape; the volume of manual work involved is often overlooked.

The source of this challenge is often marketing. Consider the depth and breadth of modern marketing solutions, as illustrated by this Luma Partners marketing map, is only the tip of the iceberg. It is not uncommon for a Fortune 500 company to have more than 100 of these solutions, each storing personal data, and operating independently of each other. What happens when a data subject exercises his or her right to be deleted from these systems?

Privacy policies and cookie banners are incapable of processing data subject access requests. It takes an entire team of professionals, each assigned as owners of specific systems, to ensure a requester's data is deleted. And it isn't enough to simply delete the data from the service (a soft delete); these teams often need to email their processors to ensure this data is deleted from their subprocessors as well (a hard delete). Not only is this a tedious manual process (and expensive if your privacy professionals are lawyers), but like any manual process it is also error prone. If Amazon, which last year failed to disclose when a customer's Alexa recordings were accidentally sent to a complete stranger, is not safe from these errors, who is?

The Map Is Not the Territory
Data inventories and data maps serve as the underlying foundation to process privacy requests, informing privacy teams of which systems contain personal data and where. But again, it is a tedious manual process to develop these data inventories. Many privacy management solutions still rely on manual surveys to determine who owns the data, the purpose of its collection, what type of data it is, and so forth.

And the reality is that these static data maps are just a snapshot. As quickly as they are created, they can become outdated. To sustain compliance, companies need a process to update these data inventories as new systems are purchased.

You Can Run from GDPR, but You Can't Hide from CCPA
There were a lot of companies that were able to ignore GDPR compliance. Domestic businesses or chain stores often had no need to comply. Others changed their business model, such as those news sites that blocked access to the EU. And still others took a wait-and-see approach. But the reality is that GDPR is just the beginning — the deadline for the California Consumer Privacy Act is less than nine months away, January 1, 2020 — and there are many other states considering similar privacy laws. If there is a lesson we have learned from one year of GDPR, it is that companies need to start planning for privacy regulations today because it can take up to a year to fully prepare. In the words of Ruby Zefo, Uber's chief privacy officer, GDPR compliance is like raising a baby: "Whether you think it is attractive or not is up to you, but you still need to take care of it."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Daniel Barber is CEO & co-founder, DataGrail, where he drives the strategic vision and overall management of its privacy management solution. The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and a worldwide trend toward privacy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...