Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


01:10 PM
Connect Directly

GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike - and what kind of organizations will be first to feel the sting of the EU privacy law.

Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union's General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?

There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states - similar to the US system. Different authorities have different priorities and different "appetites" for litigation or punitive action, he says.

They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesn't think there has been a connection between the size of authorities' resources and the size of their appetities - some of the smaller ones going after the biggest companies in the past - Dennedy maintains it could affect the number of organizations they investigate.

GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.

The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.   

If you've started your compliance process but aren't finished, you might not need to lose sleep. Yet. 

"I don't think regulators are necessarily trying to play 'gotcha,'" says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that don't have every control for every article in place yet, he says they're looking for "willful neglect" and "blatant disregard" for the law and its intent.

Dennedy agrees. "A good will effort [to comply] is worth a lot. ... You're definitely going to help limit your risk [of punitive action], and more importantly you're going to go a long way with your customers," she says.

Don't get too comfortable, though. The experts agree the enforcement actions - at least investigations - will come and come quickly. How quickly, and to whom? Here are the experts' best guesses: 

1. Individual Citizens (and 'Trolls') Press the Issue 

Individual citizens can also bring their civil cases against companies under GDPR, without waiting for the nation-state supervisory authorities to take the lead. Tene says that is another question mark for GDPR: what will individual complaints look like, and what impact will they have. 

The first volley has already been launched. Privacy group noyb.eu, led by activist Max Schrems, filed complaints against Facebook, Google, Instagram, and WhatsApp today. The companies are accused of forcing users to consent to targeted advertising to use the services, without being given a genuinely free choice.

"We are hearing from our advisors and customers, of increased occurrences of 'trolls' that are testing out GDPR readiness with customers," says 1touch.io CEO and co-founder Zak Rubinstein. "The first cases are likely to be the easiest to prove and will evolve around Data Subject Access Rights. This could take place as early as Q3 this year."

2. 'Shadier' Company Investigated Within a Week, or Sooner 

GDPR gets lots of attention for the how it can bloody an organization with fines of 200 million Euro of 4% of global annual revenue. However, like a shark, GDPR has other rows of teeth it can sink into an organization - like orders to stop data processing activity, for example - which could be even more devastating.

It's these other powers that IAPP's Tene thinks will be put to most use, particularly against "shadier" companies doing "unwholesome" things with individuals' private data. He gives Cambridge Analytica as an example as such an organization.

By issuing orders to stop data processing rather than simply leveling fines, Tene says, GDPR can "clear the ecosystem" of organizations that violate individuals' privacy. Fines may not accomplish the same. "Anti-trust enforcers have had powers to issue fines for years and we still scarcely see those," he notes. 

Tene says to expect a data protection authority to issue a complaint or begin an investigation against this sort of company within a week or two, maybe even within an hour of when GDPR enforcement goes into effect.

Michael Feiertag, CEO of tCell and former head of products at Okta, notes the same thing. Because there is so much abuse to choose from, the first companies to feel enforcement action  will be "smaller EU-based phone and email marketing firms using deceptive techniques to collect personal info from Germans and using it to peddle junk 'Free pretzel with your Viagra' offers," says Feiertag.

He expects authorities to "spend their first years racking up popular wins to build confidence in the new regulatory regime. They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines."

"The interesting wild card is whether the next Cambridge Analytica is discovered soon," says Feiertag. "If so, I expect an ambitious [supervisory authority] to use its audit powers to disrupt that company's ability to do business."

3. Local Precedent-Setters Ready Way for Multinational Giant 

"If I was a regulator, I'd be thinking 'well my staff hasn't quadrupled, but we have to have an impact,'" says Cisco's Dennedy. "So what I wouldn't do is ... have all of them go after an Amazon or a Google on Day One."

She expects that an authority might choose one multinational "headliner" to investigate and then a cluster of local organizations - focusing on those that handle children's data or pose public health/security risks, for example. 

CompliancePoint's Sparrow anticipates the same pattern, for another reason. Enforcing the regulations upon a local entity, where there are "clear uncomplicated lines of jurisdiction," he says, makes it easier to establish legal precedent.

"That sounds like perfect logic to me," says Tene. "Maybe a nice halibut before your Moby Dick." He notes, though, that these "halibuts" might actually be pretty big fish, locally. They might be household names in the region - major banks, healthcare facilities, or telecoms - but unknown internationally. 

4. A Tech Giant (Ahem, Facebook) Gets Audited Right Away

Experts do not think it will be too long before Moby Dick does get a call from the investigators, though.

"Within the next six months," an investigation will launch, if not an enforcement action, says Sparrow. "They're going to hit while they've got momentum. Facebook would likely be the top of the list."

"Facebook and Google will get the call," says tCell's Feiertag.

Feiertag expects that major marketing or technology companies will be given "spot checks" on their compliance efforts soon, but not in anticipation of large enforcement actions. 

"The vast majority of these organizations are attempting to comply with the the law" as they understand its meaning, he says. "The audits won't find much, but will begin to establish accepted practices and to ensure that the law continues to be followed." 

Sparrow, however, says, "I do think Facebook is a little at risk."

He noted that European regulators are "not afraid at all" to go after Silicon Valley tech giants, and that just this week Mark Zuckerberg told European Parliament in Brussels "We do expect [Facebook] to be fully compliant [with GDPR] on May 25th." Not just "materially compliant" but "fully" compliant" (and just two months after the Cambridge Analytica revelations, too). 

"That's a big assertion by Mark," says Sparrow, "and you could easily poke holes in that." 

5. Those With Lax Payment Card Security Will Be Given Just Enough Rope to Hang Themselves With

Payment card data continues to be a popular target with attackers - so companies that are reckless with payment card data will be high on GDPR enforcement authorities' priority lists, predicts Michael Aminzade, vice president of global compliance and risk services at Trustwave.

"I expect the first enforcement to come from an industry where payment card data is prevalent such as retail, hospitality, or online storefronts in a country where secure code development practices and technologies like EMV chip use is less mature," says Aminzade.

Aminzade doesn't expect the the authorities to be quick on the draw, however. His guess is that the first action won't happen for 12- to 24 months. "The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact." 

"The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road," he predicts. 

6. Changing the Way You Use Data

The first hits will come for the most obvious, most tangible offenses: passwords only where there's supposed to be multi-factor authentication, or an outdated privacy policy that doesn't pass muster. Eventually, though, GDPR will force fundamental changes to business models, experts say.

"There has been an inordinate amount of focus on the potential fines," says Dave Lewis, global security advocate at Akamai Technologies. "The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards."

Cisco's Dennedy says that many businesses have more data than they can safely secure, and are coming around to the idea that they just won't collect it in the first place. Business models were encouraged by the tenet that storage is cheap, but, she says, cheap storage isn't ultimately a good thing, because it enabled more waste and created uncurated, unstructured data. 

"It's kind of like that show 'Hoarders,' she says. "It's smelly in there."

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
5/29/2018 | 3:02:05 PM
Re: stop data processing
Finally an effective solution to bad practices. I would agree and also saint and see how they would be enforcing it.
User Rank: Ninja
5/29/2018 | 3:00:59 PM
Hopefully this law will work out better for the people of Europe and and around the world. Privacy becomes critical obviously for everyone.
User Rank: Ninja
5/29/2018 | 10:47:15 AM
Targeting Habitual Violators
"They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines"

It's good to hear that if you are making an effort that you will most likely not receive a drastic punitive assignment. However, I don't mind that GDPR enforcement is targeting a more draconian narrative and trying to remove habitual violators from the ecosystem.
User Rank: Ninja
5/29/2018 | 10:44:43 AM
stop data processing
Finally an effective solution to bad practices. Most companies can more than survive fines that are given based on bad practices. But to order the company to stop processing and in essense stop bringing in money to the organization will most definitely bring those bad practices to a halt.
<<   <   Page 2 / 2
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.