GDPR’s Impact: The First Six Months

GDPR is now six months old, it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. 

There are no well-publicised actions being taken against offenders. No large fines levied. So does this mean it’s yet another regulation that will be ignored?  Actually nothing could be farther from the truth.

The day GDPR came into law complaints were filed by data subjects against Facebook and Google. Complaints, that does not sound like action by regulators, in fact it’s not, its action taken by lawyers. 

GDPR is a much-evolved form of European regulation allowing data subjects to file suits against data collectors whom they believe are violating their rights. 

This battle is going to be fought in 28 EU countries courts much sooner than in their Data Protection ministries who enforce the law and handout fines for violations.

Activist legal teams like Austrian noyb and its founder Max Schrems who had a strong hand in drafting GDPR are taking up these complaints. 

Meanwhile activist Privacy International is going after the likes of Oracle, filing complaints in the UK along similar lines as to the claims against Google and Facebook in that there is ongoing disregard to establishing legitimate-use of data collected and a disregard of individual’s rights because in fact those individuals do not know their data is being collected, so there is no expectation they can ask that their data be removed.

Regulator action will take time as six months is too early to get a proper read. Yet, we can still get a feel for what is going on by looking at what’s happening in a given country. 

The UK is interesting; their Information Commissioner predates GDPR as UKs privacy regulations go back to 1998 and the UK commissioner is currently publishing findings and leveling fines after investigations for activities dating back to 2016. That gives us a feel for how long investigations may take under GDPR.

Perhaps we will not know the full impact for another two years to the magnitude of fines levied. 

Facebook’s challenges with Cambridge Analytica were lucky in that they fell under the prior law resulting in a smaller 500K GDP fine than the billions allowed by GDPR. 

Breaches at British Airways and others, which took place since GDPR became active, are being carefully monitored to see if in fact they were properly reported to the UK commission within the 72-hour limit of being discovered.

The hotbed for US companies is Dublin as Ireland is where many US companies have their European headquarters. Helen Dixon, the current Republic of Ireland Commissioner, and her office is one of the busiest in Europe working with these companies as they scrabble to be complaint under the law.

GDPR has had influence internationally, 10 countries including Canada, whose law just went active this month, now have very similar laws. California also has a much-watered down version that went into effect as well. None of these laws carry the same fines, but most allow for litigation. 

California is just one of 26 states that have such laws on the books. These laws vary widely in their rules. Because of this the Internet Association, an influential lobby group for Internet based companies, has come out indicating it would be for a single US law to provide uniform privacy assurance.

The difference being in how they want the law to be written. Here is an example: Google’s Android OS terms and conditions states that the user, by activating their service, consents to Google’s collection of their personal data across All Google products for any use. 

Today once you activate you can’t go back and ask them to remove you. The Internet Association’s President Michael Beckerman, states that individuals should have a right to ask what has been collected and then have this information removed, if they discontinue using the product/service. The difference is GDPR does not force you to disconnect your $1000 phone.

Given all that, perhaps it’s not surprising that Apple CEO, Tim Cook, has come out strongly in favor of having a similar strength version of GDPR in the USA. Apparently they don’t collect the same data that Google, Facebook and Amazon do. Score one for capitalism?

Overall GDPR has had a subtle but extremely influential impact in the Internet world already. With all the lawyers involved, it’s not likely going by the wayside anytime soon.

Help Net Security:

You Might Also Read:

GDPR Survey Shows 80% Non-Compliance

GDPR Alert As Average ICO Fines Double In A Year

« Japan’s Cyber Security Minister Admits He Just Doesn't Get It
Britain's Top Soldier Warns Of Russian Threats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MetaCompliance

MetaCompliance

MetaCompliance is a cyber security and compliance organisation that helps transform your company culture and safeguard your data and values.

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

Cybersixgill

Cybersixgill

Cybersixgill was founded with a single mission: to protect organizations against malicious cyber attacks that come from the deep and dark web, before they materialize.

Sothis

Sothis

Sothis is an information technology services company offering a range of solutions including cybersecurity, managed security services, information governance and compliance.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

Braintrace

Braintrace

Braintrace’s services include Managed Detection and Response (MDR), Managed SIEM, SIEM-as-a-Service, SOC-as-a-Service, Advisory Services, and Incident Response.

Africa ICS Cyber Security Conference

Africa ICS Cyber Security Conference

Africa's largest ICS Cyber Security Conference and Expo. The only platform that will proudly present top level B2B and B2C networking opportunities.

Control System Cyber Security Association International (CS2AI)

Control System Cyber Security Association International (CS2AI)

CS2AI is the premier global not for profit workforce development organization supporting professionals of all levels charged with securing control systems.

NGN International

NGN International

NGN International is a full-fledged systems integrator and managed security services provider established in 2015 in Bahrain.

Department of Homeland Security (DHS)

Department of Homeland Security (DHS)

The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. Our duties are wide-ranging, but our goal is clear - keeping America safe.

Gilsbar

Gilsbar

For more than half a century, Gilsbar has offered insurance service solutions and support for businesses and their employees.

Beacon Technology

Beacon Technology

Beacon Technology offers a comprehensive platform consisting of XDR, VMDR, and Breach and Attack simulation tools.

Codezero Technologies

Codezero Technologies

Codezero is at the forefront of microservices development, employing an identity-aware overlay network that delivers zero-trust security to DevOps.

Index Engines

Index Engines

Index Engines is the world’s leading AI-powered analytics engine to detect data corruption due to ransomware.