Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union's General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?
There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states - similar to the US system. Different authorities have different priorities and different "appetites" for litigation or punitive action, he says.
They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesn't think there has been a connection between the size of authorities' resources and the size of their appetities - some of the smaller ones going after the biggest companies in the past - Dennedy maintains it could affect the number of organizations they investigate.
GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.
The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.
If you've started your compliance process but aren't finished, you might not need to lose sleep. Yet.
"I don't think regulators are necessarily trying to play 'gotcha,'" says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that don't have every control for every article in place yet, he says they're looking for "willful neglect" and "blatant disregard" for the law and its intent.
Dennedy agrees. "A good will effort [to comply] is worth a lot. ... You're definitely going to help limit your risk [of punitive action], and more importantly you're going to go a long way with your customers," she says.
Don't get too comfortable, though. The experts agree the enforcement actions - at least investigations - will come and come quickly. How quickly, and to whom? Here are the experts' best guesses:
1. Individual Citizens (and 'Trolls') Press the Issue
Individual citizens can also bring their civil cases against companies under GDPR, without waiting for the nation-state supervisory authorities to take the lead. Tene says that is another question mark for GDPR: what will individual complaints look like, and what impact will they have.
The first volley has already been launched. Privacy group noyb.eu, led by activist Max Schrems, filed complaints against Facebook, Google, Instagram, and WhatsApp today. The companies are accused of forcing users to consent to targeted advertising to use the services, without being given a genuinely free choice.
"We are hearing from our advisors and customers, of increased occurrences of 'trolls' that are testing out GDPR readiness with customers," says 1touch.io CEO and co-founder Zak Rubinstein. "The first cases are likely to be the easiest to prove and will evolve around Data Subject Access Rights. This could take place as early as Q3 this year."
2. 'Shadier' Company Investigated Within a Week, or Sooner
GDPR gets lots of attention for the how it can bloody an organization with fines of 200 million Euro of 4% of global annual revenue. However, like a shark, GDPR has other rows of teeth it can sink into an organization - like orders to stop data processing activity, for example - which could be even more devastating.
It's these other powers that IAPP's Tene thinks will be put to most use, particularly against "shadier" companies doing "unwholesome" things with individuals' private data. He gives Cambridge Analytica as an example as such an organization.
By issuing orders to stop data processing rather than simply leveling fines, Tene says, GDPR can "clear the ecosystem" of organizations that violate individuals' privacy. Fines may not accomplish the same. "Anti-trust enforcers have had powers to issue fines for years and we still scarcely see those," he notes.
Tene says to expect a data protection authority to issue a complaint or begin an investigation against this sort of company within a week or two, maybe even within an hour of when GDPR enforcement goes into effect.
Michael Feiertag, CEO of tCell and former head of products at Okta, notes the same thing. Because there is so much abuse to choose from, the first companies to feel enforcement action will be "smaller EU-based phone and email marketing firms using deceptive techniques to collect personal info from Germans and using it to peddle junk 'Free pretzel with your Viagra' offers," says Feiertag.
He expects authorities to "spend their first years racking up popular wins to build confidence in the new regulatory regime. They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines."
"The interesting wild card is whether the next Cambridge Analytica is discovered soon," says Feiertag. "If so, I expect an ambitious [supervisory authority] to use its audit powers to disrupt that company's ability to do business."
3. Local Precedent-Setters Ready Way for Multinational Giant
"If I was a regulator, I'd be thinking 'well my staff hasn't quadrupled, but we have to have an impact,'" says Cisco's Dennedy. "So what I wouldn't do is ... have all of them go after an Amazon or a Google on Day One."
She expects that an authority might choose one multinational "headliner" to investigate and then a cluster of local organizations - focusing on those that handle children's data or pose public health/security risks, for example.
CompliancePoint's Sparrow anticipates the same pattern, for another reason. Enforcing the regulations upon a local entity, where there are "clear uncomplicated lines of jurisdiction," he says, makes it easier to establish legal precedent.
"That sounds like perfect logic to me," says Tene. "Maybe a nice halibut before your Moby Dick." He notes, though, that these "halibuts" might actually be pretty big fish, locally. They might be household names in the region - major banks, healthcare facilities, or telecoms - but unknown internationally.
4. A Tech Giant (Ahem, Facebook) Gets Audited Right Away
Experts do not think it will be too long before Moby Dick does get a call from the investigators, though.
"Within the next six months," an investigation will launch, if not an enforcement action, says Sparrow. "They're going to hit while they've got momentum. Facebook would likely be the top of the list."
"Facebook and Google will get the call," says tCell's Feiertag.
Feiertag expects that major marketing or technology companies will be given "spot checks" on their compliance efforts soon, but not in anticipation of large enforcement actions.
"The vast majority of these organizations are attempting to comply with the the law" as they understand its meaning, he says. "The audits won't find much, but will begin to establish accepted practices and to ensure that the law continues to be followed."
Sparrow, however, says, "I do think Facebook is a little at risk."
He noted that European regulators are "not afraid at all" to go after Silicon Valley tech giants, and that just this week Mark Zuckerberg told European Parliament in Brussels "We do expect [Facebook] to be fully compliant [with GDPR] on May 25th." Not just "materially compliant" but "fully" compliant" (and just two months after the Cambridge Analytica revelations, too).
"That's a big assertion by Mark," says Sparrow, "and you could easily poke holes in that."
5. Those With Lax Payment Card Security Will Be Given Just Enough Rope to Hang Themselves With
Payment card data continues to be a popular target with attackers - so companies that are reckless with payment card data will be high on GDPR enforcement authorities' priority lists, predicts Michael Aminzade, vice president of global compliance and risk services at Trustwave.
"I expect the first enforcement to come from an industry where payment card data is prevalent such as retail, hospitality, or online storefronts in a country where secure code development practices and technologies like EMV chip use is less mature," says Aminzade.
Aminzade doesn't expect the the authorities to be quick on the draw, however. His guess is that the first action won't happen for 12- to 24 months. "The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact."
"The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road," he predicts.
6. Changing the Way You Use Data
"There has been an inordinate amount of focus on the potential fines," says Dave Lewis, global security advocate at Akamai Technologies. "The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards."
Cisco's Dennedy says that many businesses have more data than they can safely secure, and are coming around to the idea that they just won't collect it in the first place. Business models were encouraged by the tenet that storage is cheap, but, she says, cheap storage isn't ultimately a good thing, because it enabled more waste and created uncurated, unstructured data.
"It's kind of like that show 'Hoarders,' she says. "It's smelly in there."