GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

  /     /     /  
Publicated : 22/11/2024   Category : security


GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?


The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike - and what kind of organizations will be first to feel the sting of the EU privacy law.



Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Unions General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?
There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states - similar to the US system. Different authorities have different priorities and different appetites for litigation or punitive action, he says.
They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesnt think there has been a connection between the size of authorities resources and the size of their appetities - some of the smaller ones going after the biggest companies in the past - Dennedy maintains it could affect the number of organizations they investigate.
GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.
The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.   
If youve started your compliance process but arent finished, you might not need to lose sleep. Yet. 
I dont think regulators are necessarily trying to play gotcha, says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that dont have every control for every article in place yet, he says theyre looking for willful neglect and blatant disregard for the law and its intent.
Dennedy agrees. A good will effort [to comply] is worth a lot. ... Youre definitely going to help limit your risk [of punitive action], and more importantly youre going to go a long way with your customers, she says.
Dont get too comfortable, though. The experts agree the enforcement actions - at least investigations - will come and come quickly. How quickly, and to whom? Here are the experts best guesses: 
1. Individual Citizens (and Trolls) Press the Issue 
Individual citizens can also bring their civil cases against companies under GDPR, without waiting for the nation-state supervisory authorities to take the lead. Tene says that is another question mark for GDPR: what will individual complaints look like, and what impact will they have. 
The
first volley
has already been launched. Privacy group noyb.eu, led by activist Max Schrems, 
filed complaints
 against Facebook, Google, Instagram, and WhatsApp today. The companies are accused of forcing users to consent to targeted advertising to use the services, without being given a genuinely free choice.
We are hearing from our advisors and customers, of increased occurrences of trolls that are testing out GDPR readiness with customers, says 1touch.io CEO and co-founder Zak Rubinstein. The first cases are likely to be the easiest to prove and will evolve around Data Subject Access Rights. This could take place as early as Q3 this year.
2. Shadier Company Investigated Within a Week, or Sooner
 
GDPR gets lots of attention for the how it can bloody an organization with fines of 200 million Euro of 4% of global annual revenue. However, like a shark, GDPR has other rows of teeth it can sink into an organization - like orders to stop data processing activity, for example - which could be even more devastating.
Its these other powers that IAPPs Tene thinks will be put to most use, particularly against shadier companies doing unwholesome things with individuals private data. He gives Cambridge Analytica as an example as such an organization.
By issuing orders to stop data processing rather than simply leveling fines, Tene says, GDPR can clear the ecosystem of organizations that violate individuals privacy. Fines may not accomplish the same. Anti-trust enforcers have had powers to issue fines for years and we still scarcely see those, he notes. 
Tene says to expect a data protection authority to issue a complaint or begin an investigation against this sort of company within a week or two, maybe even within an hour of when GDPR enforcement goes into effect.
Michael Feiertag, CEO of tCell and former head of products at Okta, notes the same thing. Because there is so much abuse to choose from, the first companies to feel enforcement action  will be smaller EU-based phone and email marketing firms using deceptive techniques to collect personal info from Germans and using it to peddle junk Free pretzel with your Viagra offers, says Feiertag.
He expects authorities to spend their first years racking up popular wins to build confidence in the new regulatory regime. They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines.
The interesting wild card is whether the next Cambridge Analytica is discovered soon, says Feiertag. If so, I expect an ambitious [supervisory authority] to use its audit powers to disrupt that companys ability to do business.
3. Local Precedent-Setters Ready Way for Multinational Giant 
If I was a regulator, Id be thinking well my staff hasnt quadrupled, but we have to have an impact, says Ciscos Dennedy. So what I wouldnt do is ... have all of them go after an Amazon or a Google on Day One.
She expects that an authority might choose one multinational headliner to investigate and then a cluster of local organizations - focusing on those that handle childrens data or pose public health/security risks, for example. 
CompliancePoints Sparrow anticipates the same pattern, for another reason. Enforcing the regulations upon a local entity, where there are clear uncomplicated lines of jurisdiction, he says, makes it easier to establish legal precedent.
That sounds like perfect logic to me, says Tene. Maybe a nice halibut before your Moby Dick. He notes, though, that these halibuts might actually be pretty big fish, locally. They might be household names in the region - major banks, healthcare facilities, or telecoms - but unknown internationally. 
4. A Tech Giant (Ahem, Facebook) Gets Audited Right Away
Experts do not think it will be too long before Moby Dick does get a call from the investigators, though.
Within the next six months, an investigation will launch, if not an enforcement action, says Sparrow. Theyre going to hit while theyve got momentum. Facebook would likely be the top of the list.
Facebook and Google will get the call, says tCells Feiertag.
Feiertag expects that major marketing or technology companies will be given spot checks on their compliance efforts soon, but not in anticipation of large enforcement actions. 
The vast majority of these organizations are attempting to comply with the the law as they understand its meaning, he says. The audits wont find much, but will begin to establish accepted practices and to ensure that the law continues to be followed. 
Sparrow, however, says, I do think Facebook is a little at risk.
He noted that European regulators are not afraid at all to go after Silicon Valley tech giants, and that just this week Mark Zuckerberg told European Parliament in Brussels We do expect [Facebook] to be fully compliant [with GDPR] on May 25th. Not just materially compliant but fully compliant (and just two months after the Cambridge Analytica revelations, too). 
Thats a big assertion by Mark, says Sparrow, and you could easily poke holes in that. 
5. Those With Lax Payment Card Security Will Be Given Just Enough Rope to Hang Themselves With
Payment card data continues to be a popular target with attackers - so companies that are reckless with payment card data will be high on GDPR enforcement authorities priority lists, predicts Michael Aminzade, vice president of global compliance and risk services at Trustwave.
I expect the first enforcement to come from an industry where payment card data is prevalent such as retail, hospitality, or online storefronts in a country where secure code development practices and technologies like EMV chip use is less mature, says Aminzade.
Aminzade doesnt expect the the authorities to be quick on the draw, however. His guess is that the first action wont happen for 12- to 24 months. The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact. 
The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road, he predicts. 
6. Changing the Way You Use Data
The first hits will come for the most obvious, most tangible offenses: passwords only where theres supposed to be multi-factor authentication, or an outdated privacy policy that doesnt pass muster. Eventually, though, GDPR will force fundamental changes to business models, experts say.
There has been an inordinate amount of focus on the potential fines, says Dave Lewis, global security advocate at Akamai Technologies. The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards.
Ciscos Dennedy says that many businesses have more data than they can safely secure, and are coming around to the idea that they just wont collect it in the first place. Business models were encouraged by the tenet that 
storage is cheap,
but, she says, cheap storage isnt ultimately a good thing, because it enabled more waste and created uncurated, unstructured data. 
Its kind of like that show Hoarders, she says. Its smelly in there.
Related Content:
GDPR, WHOIS & the Impact on Merchant Risk Security Monitoring
A Data Protection Officers Guide to the Post-GDPR Deadline Reality
GDPR 101: Keeping Data Safe Throughout the Supply Chain
10 Security Innovators to Watch

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?