‘Head In The Sand’ Approach Hurting Enterprises Post-GDPR?

It has been a month since the European Union (EU) rolled out the General Data Protection Regulation (GDPR), a sweeping mandate that affects any organization holding individual data from the EU and European Economic Area (EEA).

In the months leading up to the effective date, May 25, 2018, organizations spearheaded various awareness campaigns and embedded new controls to seek compliance. What followed was an inundation of privacy policy emails distributed to consumers in the days leading up to, and immediately following, GDPR.

But what does the regulation mean for Information Security as a whole? Did it usher in a new era of stringent controls? Has it begun to inspire measurable change? How scalable is it, globally?

As mentioned, once GDPR became enforceable, enterprises handling individual data from the EU fell under the careful watch of European regulators. Companies that mishandle this sensitive data are then subject to steep fines – up to €20 million or 4% of global turnover.

Needless to say, businesses responded. In a recent piece for CNN Money, Herjavec Group CEO, Robert Herjavec, outlined the need for similar policy in the U.S., along with quick-fix steps to seek compliance. He also said that the strict mandate “has his attention” as a CEO. This side effect, it seems, has suffused the industry – leaving C-Suite members and other executives dwelling on data privacy.

Included in its midst, GDPR features “Privacy by Design,” and other requirements around breach notification, the opt-out process and the appointment of a Data Protection Officer (DPO).

Formal Complaints

Many cyber experts predicted large-scale filings in the wake of GDPR – noting that once the regulation became directly applicable, there would be data activists seeking justice for digital wrongdoings.

These pundits weren’t too far off either, as Silicon Valley tech giants immediately saw specific complaints leveled against them. According to the New York Times, Austrian privacy advocacy group NOYB (“none of your business”) filed four GDPR complaints against companies such as Google and Facebook, plus Facebook subsidiaries WhatsApp and Instagram. The complaint said that the companies failed to give European users specific control over their data.

Complaints were filed in France, Belgium, Germany and Austria, and asked regulators to impose fines up to $4.3 billion on Alphabet, Google’s parent company, and $1.5 billion each on Facebook, Instagram and WhatsApp. That comprises 4% of 2017 revenue.

See Related: 'State Of The Union': EU Reg. GDPR Set To Revamp Data Privacy

The Times labeled Austrian lawyer, Max Schrems, as the NOYB architect. Schrems has a history of challenging large companies such as Facebook on their data privacy policies.

What’s more, the recent Cambridge Analytica scandal with Facebook underscored the need for more transparency with data controls.

Other companies took immediate GDPR action – some of which effectively distanced EU consumers. For example, the Washington Post added a fee for EU citizens for a service without advertisements. Other sites even went dark for EU users.

Despite these service alterations, has GDPR truly driven change?

What Have You Seen?

Dr. Rebecca Wynn, Head of Information Security and DPO, Matrix Medical Network, told the Cyber Security Hub that “it’s pretty amazing to me to still see many Chief Compliance Officers, Chief Privacy Officers and Chief Risk Officers who aren’t sanctioning internal assessment to see how the global change in laws…will affect the business.”

She said an EU avoidance policy in the U.S. is “a very naïve point of view, and really is the ‘head in the sand’ approach.”

Wynn also predicted similar regulations in the U.S. within the next 12-18 months. She also said many enterprises are adopting GDPR as their own standard.

See Related: Reducing Risk, Creating Compliance With GDPR

Similarly, Mark Hellbusch, Senior Cyber Security Consultant and Information Security Officer at GBprotect Inc., told the Cyber Security Hub that he has continued to see “organizations fail to demonstrate where data resides within their systems.”

He said “data mapping” lies at the center of GDPR, because without a proper understanding of where data resides, any protection program is bound to fail.

“Privacy by Design isn’t just the responsibility of IT, it’s the responsibility and ownership of the business units,” he added.

Like Wynn, Hellbusch predicted that other countries – and possibly NIST – will come out with equally stringent best practices.

What’s To Come?

Both cyber security experts predicted that there will be substantial GDPR offenders in the near future, too.

Wynn said, “There will be companies like Facebook who try to fight that you as an individual should have ‘Privacy by Design and Default,’ so they will challenge the fines in various world courts and play ‘catch me if you can.’”

She continued: “The second group will…find themselves in violation and being fined and their response will be one of shock as they say, ‘You were serious!’”

The cyber expert predicted that in the next few years, adjustments will be made to attain a global framework and standard.

Similarly, Hellbusch emphasized the importance of data mapping and a data registry.

“The offenders will be organizations that won’t take into account what GDPR is really about, and that’s data ownership,” he said. “Unless you shift your thinking, offenders are out there today and we will see more of them come to light this year as GDPR progresses.”

In closing, perhaps it’s best to describe GDPR as an attainable standard, and a mandate poised to return a measure of data ownership back to the consumer. For the enterprise, it means stricter controls and exceedingly more visibility. While the regulation may not have halted global business just yet, bringing markets and industries to a standstill, it appears prepared to streamline data privacy for the foreseeable future.

Be sure to keep tabs on GDPR coverage at the Cyber Security Hub!

Check Out: 'No Security Through Obscurity': The Link Between Privacy & Visibility