What we know, and don’t know, about GDPR Credit: Image credit: Tomkie sFastyne via Flickr

Image credit: Tomkie sFastyne via Flickr

Data Privacy and Security

What we know, and don’t know, about GDPR

Organisations caught up in the machinations of the European Union’s General Data Protection Regulation could be forgiven for feeling the media frenzy over GDPR is generating more heat than light. With just a year to go before GDPR takes effect on 25 May 2018 we are still in the dark over many areas even if in others we see some glimpses of light.

Based on recent discussions with experts and others in the know, here’s a summary of what we can confidently say we know and what remains nebulous.

 

We don’t know that much about penalties. Of course the big headline says that organisations can be fined up to four per cent of global annual revenue based on the previous financial year. But will that really happen? Would a German regulator have the gumption to levy a fine running to hundreds of millions of euros against a Volkswagen? Would France do that to an AXA? And would a foreign regulator be more or less likely to impose big hits on one of those companies? “Regulators are saying they’ve got the guts to do it,” says Jonathan Armstrong of law firm Cordery, “but we won’t know until the fat lady sings.”

There’s likely to be a big test case... as with celebrity tax avoiders it will surely be natural for a regulator to make an example of an egregious offender and perhaps a big brand to set an example to others. A lighthouse lawsuit would bring attention and focus to GDPR, showing that regulatory watchdogs have not necessarily been de-fanged. “France has already stated that it wants to make a public example of organisations who breach the regulation once it comes into force to ensure that it isn’t ignored,” notes Chris Bridgland, chief technology officer of storage software giant Veritas.

… but when will that case close? Fines will be appealable so it could be several years before we see the closure of a big-penalty verdict. Remember that UK broadband provider TalkTalk even contested a £1,000 fine imposed by the Information Commissioner’s Office over a failure to notify the ICO of a personal data breach.

The nuisance value of GDPR will be enormous. Finding evidence, redacting other parties mentioned in communications and storing and tagging data to make it searchable in the first place will chew through time and require expensive tools to be acquired. And how on earth will companies be able to spot manual data breaches, for example leaks of data jotted down with paper and pen? “There has to be a reason for subject access requests to be warranted so many of the nuisance requests will be eliminated early in the process,” says Veritas’s Bridgland. “However, there could be class actions, as we are seeing with a high street name right now, based on a prior breach of personal data.”

Subject Access Requests will be free. Today in the UK we can demand that organisations reveal what they hold on us for £10. Under GDPR these requests will be free and that change might encourage an already ongoing boom in these requests because many individuals are deterred by having to pay even this small sum. Cordery’s Armstrong says subject access requests are ten times more common than two years ago in the UK. He believes that they could be used to disrupt targeted organisations with protest groups potentially coming together to create hundreds or thousands of coordinated challenges that act “like a DDoS attack”.

Companies will need to have a plan. A bad plan might be better than no plan at all and the worst thing to do would be to leave your GDPR strategy too little and too late. That ostrich mentality might be prevalent though: Armstrong suggests perhaps 10 to 15 per cent of organisations he has come across have appointed a data protection officer; a DPO isn’t mandatory but most large businesses are likely to require one under GDPR. He recommends providing employees with easily consumable policies no more than a couple of pages long and written in clear language.

Nima Balati, senior director of product management at security company Absolute, says an audit is the obvious first step: “A lot of organisations don’t even know how many laptops they have in their environment or have any way of being able to touch that laptop again if it is lost.” Tools such as configuration management databases and application whitelisting are also useful.

A recent report from Veritas suggests almost half of companies researched fear they won’t meet GDPR demands. Another from Experian says the same.

We’re confident that Brexit will be no protection. Even when (if?) the UK finally leaves the EU, the fact that the country has such tight trading arrangements with our European neighbours will mean we need to have some sort of equivalent legislation and, effectively, obey the same rules. Even if that isn’t the case, GDPR has extra-territorial effect so businesses based in the UK would still have to comply if they want to do business in the EU.

We don’t know if this will turn out to be a pro-consumer thing. Although GDPR was supposed to create a balance between being a useful framework for organisations and a protection for consumers it looks a lot like it has ended up being weighed heavily in favour of consumers. But the costs of meeting GDPR demands will likely end up in the consumer’s half of the court as businesses pass on GDPR-related costs.

GDPR cases could have a sizeable impact on company valuations. We saw Yahoo suffer a nasty haircut worth hundreds of millions of dollars because its buyer Verizon was concerned about the former’s ongoing case involving hacked customer details. With such vast penalties theoretically available to regulators, companies caught up in GDPR cases could see hits to their share prices and other valuation mechanisms. Here's Veritas:

“The cost of falling foul of the GDPR publicly could lose companies their customers and even put some out of business. Our recent research of 900 business decision makers put this at 19 per cent and 18 per cent respectively, so it’s a very significant worry for many. Over one in ten (12%) also believe negative media or social media coverage would devalue their brand.”

We don’t know which national regulators will be tough. A tough regulator could be a turn-off for businesses, driving them elsewhere. On the other hand, some governments will seek to show that they are tough on businesses. There again, the parties offended against could take their cases to another country… but will this happen. As Cordery’s Armstrong asks, “If I’m a Spanish person mad as a dog [about an abuse of my data privacy], am I going to call Dublin? Probably not.”

This could get political. It’s probably not too cynical to propose that if one country’s regulator gets tough on businesses from another country we might see tit-for-tat exchanges.

We don’t know if GDPR will drive companies to or from the cloud. Some organisations might take the view that they need very close control of their customer data and conclude that means storing and processing it on premises. But others might see using a cloud platform to gain the benefits of blanket protection built in. AWS, for example, is attempting to reassure customers that its Data Processing Agreement is GDPR-compliant.

On its blog, Stephen Schmidt of AWS wrote:

“In addition to account managers, we have teams of compliance experts, data protection specialists, and security experts working with customers across Europe to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR comes into force. To further answer customers’ questions, we have updated our EU Data Protection website. This website includes information about what the GDPR is, the changes it brings to organizations operating in the EU, the services AWS offers to help you comply with the GDPR, and advice about how you can prepare.”

The lawyers will not be laughing all the way to the bank (as much as usual). It’s a rule of life of course that the lawyers tend to come out smiling in most scenarios but a lack of available talent means that GDPR will become a huge boom. “In days gone by, most lawyers weren’t very good at technology and there wasn’t much money in data protection law compared to sectors such as banking so the talent pool is small and people are already fishing out of it,” says Armstrong.

GDPR preparedness may pay surprise dividends. While compliance is often regarded as a chore, Oz Alashe of cloud security platform provider CybSafe believes that companies that prepare for GDPR will benefit from having more easily searchable, protected and useful data than those that don’t. “There’s a real bonus to be had,” he says. 

 

Also read:
GDPR may leave some burned
From insular US firms to spammy marketers: Who will GDPR hit the hardest?

PREVIOUS ARTICLE

«Can technology save the UK’s National Health Service?

NEXT ARTICLE

InfoShot: Internet shutdowns on the rise»
author_image
Martin Veitch

Martin Veitch is Editorial Director at IDG Connect

  • twt
  • twt

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should we donate our health data the same way we donate organs?