Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/29/2019
10:30 AM
Daniel Barber
Daniel Barber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Rear-View Look at GDPR: Compliance Has No Brakes

With a year of Europe's General Data Protection Regulation under our belt, what have we learned?

There is no denying the impact of the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. We were all witness — or victim — to the flurry of updated privacy policy emails and cookie consent banners that descended upon us. It was such a zeitgeist moment that "we've updated our privacy policy" became a punchline.

Pragmatically, the GDPR will serve as a catalyst for a new wave of privacy regulations worldwide — as we have already seen with the California Consumer Privacy Act (CCPA) and an approaching wave of state-level regulation from Washington, Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

GDPR has been a boon for technology vendors and legal counsel: A PricewaterhouseCoopers survey indicates that GDPR budgets have topped $10 million for 40% of respondents. A majority of businesses are realizing that there are benefits to remediation beyond compliance, according to a survey by Deloitte. CSOs are happy to use privacy regulations as evidence in support of stronger data protection, CIOs can rethink the way they architect their data, and CMOs can build stronger bonds of trust with their customers.

But it is not a rose-tinted vision for everyone. GDPR fines are no paper tiger. France levied a stunning $57 million fine against Google for its GDPR violations. Even Ireland, long-viewed as a technology safe haven, has experienced a 100% increase in privacy complaints since May 25, 2018.

The complexity of GDPR has caused some unintended side effects. According to Jeff South, a journalism professor at Virginia Commonwealth University, writing for Nieman Lab, nearly a third of the largest US news sites chose to block access to the EU because of the GDPR, as they struggled to implement compliance solutions. A lot of companies have been struggling with GDPR compliance in the past year, and many continue to do so. I speak with them regularly. Here, I share a few of the lessons I've learned from them below.

Compliance Is a Journey, Not a Destination
One frequent complaint is the unexpected ongoing costs for sustained compliance, even after the initial stand-up costs. Anecdotally, we all recognize the effort that companies put into updating their privacy policies and consent management banners before May 25, 2018. But this sort of compliance is only step one: readiness.

Sustained compliance is much more difficult to achieve. Dynamic business systems require new processes that evolve with the changing legal landscape; the volume of manual work involved is often overlooked.

The source of this challenge is often marketing. Consider the depth and breadth of modern marketing solutions, as illustrated by this Luma Partners marketing map, is only the tip of the iceberg. It is not uncommon for a Fortune 500 company to have more than 100 of these solutions, each storing personal data, and operating independently of each other. What happens when a data subject exercises his or her right to be deleted from these systems?

Privacy policies and cookie banners are incapable of processing data subject access requests. It takes an entire team of professionals, each assigned as owners of specific systems, to ensure a requester's data is deleted. And it isn't enough to simply delete the data from the service (a soft delete); these teams often need to email their processors to ensure this data is deleted from their subprocessors as well (a hard delete). Not only is this a tedious manual process (and expensive if your privacy professionals are lawyers), but like any manual process it is also error prone. If Amazon, which last year failed to disclose when a customer's Alexa recordings were accidentally sent to a complete stranger, is not safe from these errors, who is?

The Map Is Not the Territory
Data inventories and data maps serve as the underlying foundation to process privacy requests, informing privacy teams of which systems contain personal data and where. But again, it is a tedious manual process to develop these data inventories. Many privacy management solutions still rely on manual surveys to determine who owns the data, the purpose of its collection, what type of data it is, and so forth.

And the reality is that these static data maps are just a snapshot. As quickly as they are created, they can become outdated. To sustain compliance, companies need a process to update these data inventories as new systems are purchased.

You Can Run from GDPR, but You Can't Hide from CCPA
There were a lot of companies that were able to ignore GDPR compliance. Domestic businesses or chain stores often had no need to comply. Others changed their business model, such as those news sites that blocked access to the EU. And still others took a wait-and-see approach. But the reality is that GDPR is just the beginning — the deadline for the California Consumer Privacy Act is less than nine months away, January 1, 2020 — and there are many other states considering similar privacy laws. If there is a lesson we have learned from one year of GDPR, it is that companies need to start planning for privacy regulations today because it can take up to a year to fully prepare. In the words of Ruby Zefo, Uber's chief privacy officer, GDPR compliance is like raising a baby: "Whether you think it is attractive or not is up to you, but you still need to take care of it."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Daniel Barber is CEO & co-founder, DataGrail, where he drives the strategic vision and overall management of its privacy management solution. The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and a worldwide trend toward privacy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.