Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

You Should Still Care About GDPR

GDPR Forces Companies to Examine How They Treat Data

GDPR Forces Companies to Examine How They Treat Data

In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to. 

In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as UnRoll.me and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.

Perhaps this was a smart move. Within minutes of the GDPR becoming a reality, advocacy groups and consumer watchdogs began running active challenge campaigns, flooding companies for information requests, testing their metal, and validating their preparedness. To date, complaints have been filed against Google, Facebook, WhatsApp and Instagram, citing that these companies do not offer true “consent”, as users are banned from using the services if they do not agree to non-negotiable terms. Additional complaints were filed against a number of US-based technology companies, including Microsoft and Android, data brokers like Acxiom, and internet providers like Verizon. This barrage signals that privacy hawks are prepared to use the new regulations as a way to force big companies to be better stewards of data.

Big companies can state they are compliant, have a documented process for components of GDPR and appoint a Data Privacy Officer, but odds are their current structure will never allow them to find, identify, and categorize all the data that they have collected over time. As a result, these companies may avoid tangling with GDPR until ‘Dave’ notices his request for information wasn’t complete or finds his PII leaked to the web – outside the window of the mandatory breach notification period – at which time the company will be liable for the fine and open to suit from all affected individuals. GDPR establishes a statute and, soon, a precedent: guilt will be assumed and failure to maintain compliance will result in businesses getting fined and having to defend themselves in court. If fined, brand reputation is also at stake as the public is likely to equate GDPR violations, even from a company that outwardly took measures to be compliant, as a sign that the company does not truly value or respect users’ data. 

Regardless of whether they believe they can comply, the GDPR forces companies to examine how they treat data. We know that an individual’s non-public and personally identifiable information is one of their most valuable possessions and consumers prioritize doing business with companies that respect and protect their interest. Because data is also the most valuable possession of a company, it should be a moral imperative for companies to protect the individual assets of each of their customers. After all, the data being collected is only on loan for a specific purpose. And, like any loan, all reasonable precautions must be taken to safeguard the asset and are not transferable. The borrower must inform the lender of what he will be using the loan for and the loan should be returned in full when it is deemed mature. If you tear away all the legalese and nearly 11 years of committees, this is what GDPR is designed for.

Today, the seriousness of GDPR is not up for debate; the regulation may very well drive the next 10 years of IT and make companies better stewards of data, their most valuable resource. Whether we will experience a transformation in how data is managed by big companies remains to be realized, however implementing a long-term path to compliance would undoubtedly have a great effect on how global companies are viewed by advocacy groups, policy makers and, most importantly, their constituents. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...