Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

You Should Still Care About GDPR

GDPR Forces Companies to Examine How They Treat Data

GDPR Forces Companies to Examine How They Treat Data

In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to. 

In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as UnRoll.me and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.

Perhaps this was a smart move. Within minutes of the GDPR becoming a reality, advocacy groups and consumer watchdogs began running active challenge campaigns, flooding companies for information requests, testing their metal, and validating their preparedness. To date, complaints have been filed against Google, Facebook, WhatsApp and Instagram, citing that these companies do not offer true “consent”, as users are banned from using the services if they do not agree to non-negotiable terms. Additional complaints were filed against a number of US-based technology companies, including Microsoft and Android, data brokers like Acxiom, and internet providers like Verizon. This barrage signals that privacy hawks are prepared to use the new regulations as a way to force big companies to be better stewards of data.

Big companies can state they are compliant, have a documented process for components of GDPR and appoint a Data Privacy Officer, but odds are their current structure will never allow them to find, identify, and categorize all the data that they have collected over time. As a result, these companies may avoid tangling with GDPR until ‘Dave’ notices his request for information wasn’t complete or finds his PII leaked to the web – outside the window of the mandatory breach notification period – at which time the company will be liable for the fine and open to suit from all affected individuals. GDPR establishes a statute and, soon, a precedent: guilt will be assumed and failure to maintain compliance will result in businesses getting fined and having to defend themselves in court. If fined, brand reputation is also at stake as the public is likely to equate GDPR violations, even from a company that outwardly took measures to be compliant, as a sign that the company does not truly value or respect users’ data. 

Regardless of whether they believe they can comply, the GDPR forces companies to examine how they treat data. We know that an individual’s non-public and personally identifiable information is one of their most valuable possessions and consumers prioritize doing business with companies that respect and protect their interest. Because data is also the most valuable possession of a company, it should be a moral imperative for companies to protect the individual assets of each of their customers. After all, the data being collected is only on loan for a specific purpose. And, like any loan, all reasonable precautions must be taken to safeguard the asset and are not transferable. The borrower must inform the lender of what he will be using the loan for and the loan should be returned in full when it is deemed mature. If you tear away all the legalese and nearly 11 years of committees, this is what GDPR is designed for.

Today, the seriousness of GDPR is not up for debate; the regulation may very well drive the next 10 years of IT and make companies better stewards of data, their most valuable resource. Whether we will experience a transformation in how data is managed by big companies remains to be realized, however implementing a long-term path to compliance would undoubtedly have a great effect on how global companies are viewed by advocacy groups, policy makers and, most importantly, their constituents. 

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...