GDPR: Where are we now?

By now, the General Data Protection Regulation, or GDPR, is in full effect. Users see its impact each time a website asks for permission to collect cookies and in each notification email about updated privacy policies. Companies are being inundated with inquiries about personal information as users are getting smarter about protecting their data in today’s data economy.

Who’s benefitting?

In today’s data-rich world, users are experiencing the fruits of data transparency, thanks to GDPR. The regulation has forced companies large and small to divulge what user data is collected and what is done with it. As a result, users can now choose whether they’re comfortable with it and opt out if they’d like. While the majority of users will opt-in, so they can use their beloved social media apps or read their favorite news publication, at least they now have a warning and are armed with the truth.

Another group that’s benefitting are those who work in cybersecurity, of course. Companies hired to help other companies prep for GDPR are busier than ever and reaping the rewards. Individuals who work in cybersecurity are also winners. Data Protection Officers (DPO) and Chief Information Security Officers (CISO) are in high-demand, as companies are scrambling to remain compliant and avoid catastrophic vulnerabilities. It’s no surprise that data protection was recently cited as a top priority for 82 percent of federal decision makers, according to the 2018 Federal Data Protection Report.

The more data that’s produced, the bigger a business it will become.

Who’s suffering?

Although the European Parliament and Council of the European Union gave companies two full years to become GDPR compliant, many companies didn’t act until the deadline neared. Recognizable companies sitting on a treasure trove of user data are still in the hot seat.

Already, complaints have been filed against Facebook, Facebook-owned Instagram, Facebook-owned WhatsApp, and Google. The complaints argue the companies are forcing consent on users to continue to process individual personal data.  The law requires users be given a free choice unless consent is strictly necessary for the provision of the service.  Facebook claims its core product is social networking and not collecting personal data for ad targeting, so forcing data collection consent does pose a problem.

Facebook’s recent data scandal shed light on its struggles and the latest reports note that the social media giant doesn’t know where much of its user data went.

Facebook is making efforts, though.  ‘Clear History’ is a function which will allow users to see the websites and apps that send Facebook information, clear this information, and disable Facebook’s ability to store this information.  The tug of war between companies like Facebook and EU regulators will continue as GDPR is fully operationalized by companies.

Another immediate impact of GDPR has been seen in the news industry. Newspapers such as the Los Angeles Times and Chicago Tribune stopped allowing European readers access to their sites to avoid risk. Tronc, the company that owns these and other newspapers, has decided to block all European readers rather than risk being found non-compliant with GDPR and face huge financial penalties.  Penalties can be as high as 4 percent of a company’s global revenue, so it deserves the attention it’s getting.

Lee Enterprises also blocked European readers from its websites including the St. Louis Post Dispatch. USA Today took a different approach by offering a GDPR-compliant version of its site.  Other news publications have requested that users opt-in to data collection, which may run into the same forced consent issue as Facebook. NPR is publishing a plaintext version of their site to users that did not opt-in.

There are also lengthy debates going on regarding the territorial scope of GDPR.  If an EU citizen is traveling the US on vacation, do GDPR requirements still apply? If a non-EU citizen is living in Europe, do the GDPR requirements still apply?

These topics will continue to make headlines for the foreseeable future.

Lingering challenges

Though May 25^th feels like the distant past, we are still in the ‘goal’ vs ‘reality’ portion of GDPR execution.  The ‘Right to be Forgotten’ concept within GDPR that allows a consumer the right to have personal information erased continues to be a hard task for many organizations to meet.

Another GDPR requirement is that companies must identify a data protection (DPO) officer. While it’s tempting to just give the title to an existing information security officer, it’s highly recommended that companies hire a DPO as a new role in the organization. However, hiring for that role is no small feat, so many enterprises are outsourcing the DPO to a third-party security firm or global system integrator (GSI) such as Deloitte or PwC. The ideal DPO should have in-depth IT knowledge as well as data protection law experience and the ability to master all of the specific duties outlined in GDPR Article 39.

But, despite its challenges, other countries and U.S. states are taking notice. Canada is aligning its data law with GDPR’s standards and California just passed the Consumer Privacy Act of 2018 (aka bill AB375), which will require companies to disclose personal information if a consumer requests it. The California privacy law will go into effect in 2020.

Only time will tell what ultimately happens with GDPR’s compliance. It’s estimated that just 61 percent of UK businesses were ready for the enforcement of the GDPR on its May 25 deadline, meaning nearly 40 percent weren’t. As soon as a well-known company gets fined, the race toward compliance will heat up again.