We’ve been writing quite a bit about GDPR (along with most everyone else), and its deadline rolling upon us there will be quite a bit more GDPR coverage to go around. But as the deadline draws closer, we’ve beginning to see some of the potential fallout and unexpected consequences of the regulation. Ridding
And because GDPR applies to virtually every business with activity in the EU, the arm of GDPR is global. And companies around the world are moving to become compliant and to do so the best they can regardless of the rather vague directives. The directives will certainly be codified in the courts and as the result of lawsuits, but this will be many years in the making.
Some sites, rather than deal with the GDPR, decided to block EU citizens altogether using services such as https://gdpr-shield.io. I visited the site earlier and it boasts to do what its domain name promises: block EU citizens. Then I tried visiting the site over the weekend and I received a Service Unavailable error, due to either maintenance or overwhelming traffic. I suspect the latter.
Then there was the sudden closing of the social network influence rating service Klout. Klout announced recently that it was shuddering its doors. The date it picked? May 25th, the data GDPR goes into effect.
I think we’ll see some of the same implications that we saw with Sarbanes-Oxley. With Sarbanes-Oxley we saw large companies do okay as they complied with the law that TK and TK, while smaller companies struggled, and some argued that SOX had many far-ranging implications.
Sox came into being as a result of corporate fraud in the US, such as the famous Enron scandal. The cost of compliance to SOX became quite high, and there was considerable evidence that many smaller public companies went private, and the rate of startups going public declined. And interesting paper that looked at the impact of SOX is available, Fallout from the Sarbanes-Oxley Act and here is the PDF.
While the impact won’t be identical, GDPR is bound to punish smaller companies (relatively) harder.
Consider the small mobile marketing site Verve. Julie Bernard, Verve chief marketing officer told CNN Money that its operations in Europe would cease because "the regulatory environment is not favorable to our particular business model."
She told NCC Money “that while the new law would benefit consumers, it may also advantage large companies with the resources -- lawyers, data experts and programmers -- needed to make the transition.”
"The implications and ramifications of GDPR compliance will challenge numerous organizations ... with resources on scales smaller than, say -- and in particular -- Facebook and Google," she said to CNN Money.
The EU’s General Data Protection Regulation (GDPR) is a big change from how many firms have approached data protection in the past, from how responsive their security teams need to be to how clearly and quickly they can tell where personal data resides. It’s on the issue of personal data that companies are starting to sweat the most.
So what is personal data under GDPR anyway? According to GDPR, currently personal data is “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s quite a broad brush, and a much broader definition for personally identifiable information than has been previously in place anywhere. This can include even IP addresses, subject access requests.
The deadline for GDPR is here, and most surveys I’ve read point to the majority of organizations not being ready for GDPR compliance. So as the read of the year unfolds, and we start seeing data breaches and the EU’s reaction we are certain to see even more GDPR fallout and unexpected consequences.
For those GDPR laggards, our own Ericka Chickowski provided some advice in her post What's So Scary About GDPR? If there's one short-term step that organizations can take to do GDPR damage control it is to start by improving organizational processes. This will be a way to show the regulators the business is making a good faith effort to do something. This should be carried out on four major front, says Pierre-Luc Refalo, global head of strategic consulting and GDPR offer lead for Capgemini:
- Hire a Data Privacy Officer (DPO) and demonstrate your documentation
- Establish data protection registration management
- Document processor and third-party management
- Establish breach management and reporting procedures
And there’s no better time than now to get started.