Fouad Khalil traces back through a half-year of GDPR in action and finds a mixed bag of regulation and compliance.
Ahead of the General Data Protection Regulation (GDPR) entering law on 25 May 2018, the security industry and wider business community were rife with speculation about how the new legislation might impact different working practices. In many industries, there was widespread apprehension that the GDPR would greatly restrict or even end working practices that had been relied upon for years.
Now, with 25 November marking six months since the GDPR came into effect, the reality of the new regulation is a mixed bag.
Enforcement and fines
The prospect of fines of up to 4pc of global turnover has been one of the biggest GDPR discussion points. The European Union’s data protection supervisor, Giovanni Buttarelli, recently stated that the first GDPR enforcement actions would begin before the end of the year, which means we will start to see fines emerging over the next few months.
We have seen a few isolated incidents so far that are the results of reported breaches rather than proactive audits by regulators. In October, a Portuguese hospital was hit with a €400,000 fine for two GDPR violations relating to inappropriate access to patient data.
Meanwhile, Facebook announced a potential breach of 50m users in September. While the company has been plagued by privacy crises over the last year, this is the first instance to emerge after the GDPR became active.
International compliance issues
One complication that was seldom discussed before the GDPR’s introduction is that individual EU countries must supplement GDPR requirements with their own national data protection laws. Of the 28 current members of the EU, 18 have passed the required bills, but 10 more have only published a bill and are still deliberating with their parliaments.
There are several intensely debated issues that have delayed the process in individual countries. The biggest points of contention include the obligation to appoint a data protection officer, sanctions on data controllers for non-compliance, and the age of consent for personal data.
With these individual data protection bills still pending, the situation can be very confusing for businesses operating in or trading with nations that are still deliberating.
Lack of action in the US
Outside of EU members and the unique case of the UK amid the ongoing Brexit process, the United States has perhaps seen the most involved speculation and discussion on the GDPR. Six months on, however, there has been surprisingly little action at both the business and governmental levels.
California introduced the California Consumer Privacy Act (CCPA) earlier this year, which has often been described as ‘GDPR Lite’ and will come into law in 2020. An attempt was made by senator Ron Wyden of Oregon to introduce a privacy law bill at the federal level with the same objective as GDPR. It is expected to stall at the house with no luck of enactment any time soon.
‘Several prominent US publications have apparently made a judgement call that their business model is better off shedding international readers than investing in compliance’
Similarly, many US businesses have been notoriously slow in complying with or even particularly acknowledging the GDPR. A glaring example is that several prominent US publications are currently inaccessible to EU-based readers. These organisations have apparently made a judgement call that their business model is better off shedding international readers than investing in compliance, which is certainly a novel approach. However, time will tell if this is sustainable.
I believe that, once the first wave of enforcement actions come in, US businesses will quickly take note and up their game – particularly if giants such as Facebook are hit with damaging fines for the first time. Likewise, individual states will begin to follow California’s example, and we should see movement at a federal level as well.
Impact on blockchain and other technology
Blockchain has emerged as a leading technology trend in recent years. The system of secure-by-design digital ledgers has a huge number of applications, from proof-of-ownership contracts to distributed cloud services. However, the GDPR throws many of these applications into question.
For example, if data in a co-hosted cloud environment is breached, who is to blame? How do you isolate which design flaw enabled the security breach to happen?
There are many complex cases that will be difficult to fully define until a test case emerges. In the meantime, speculation is likely to impact the decision to store datasets in private and public blockchains.
A map for the road ahead
Six months on and with the first wave of enforcement actions imminent, I have been surprised at the lack of more direct guidance from regulators. The GDPR is notably light on prescriptive commands compared to previous regulations. This can be a good thing, as it encourages companies to consider the spirit of the law rather than just making it a tick-box exercise. However, it has also made the job of compliance much more difficult.
It is time regulators issued more direct guidance for organisations as it will be difficult to conduct a proper audit without it. Until then, many companies will continue to take their chances.
While it is large multinational organisations such as Facebook that continue to attract the headlines around GDPR and data security in general, I believe small businesses are likely to feel the impact of the regulation the most keenly in 2019. The lack of more direct guidance, coupled with their limited resources, makes compliance much more difficult.
With the road ahead being largely unmapped even six months on, I would urge businesses of all sizes not to take their chances on compliance, and to ensure they are doing the best they can. Companies need to move away from point-in-time compliance. While this has been a popular choice due to lower costs, it will become a riskier option as the environment continues to change, and firms should look at more mature options that incorporate continuous auditing and monitoring.
Organisations that invest in maturing their privacy and security capabilities now will be in a much better position to stay compliant and win new business in 2019 and beyond.
By Fouad Khalil
Fouad Khalil is vice-president of compliance at SecurityScorecard. He has extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, programme and project management, and IT security and compliance management.