GDPR one year later: Slow compliance, lax enforcement

Published: May 23rd, 2019

It’s been one year since the General Data Protection Regulation (GDPR) went into effect. The regulation completely changes how organizations need to handle the data of European Union citizens.

The impact of the GDPR, though, has been minimal to this point. Compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult.

When it first went into effect, there was a lot of panic among organizations that did business in the European Union (EU), because the fines for not complying can be steep. According to Christian Wigand, a spokesman for the European Commission, fines are determined based on a number of factors, such as how the company protected its data, how it reacted to a data breach, and whether it cooperated with the authorities.

According to a report from DLA Piper, as of February, 91 fines have been issued. They noted that a majority of those fines were relatively low in value. One of the major fines is Google, which was fined by France for €50 million Euros, which translates to roughly US$56 million. According to a press release from the European Data Protection Board, Google is being fined “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

The regulation lists two different tiers of fines. For less severe violations, a company can be fined up to €10 million or up to two percent of their revenue from the previous financial year. More severe violations can cost a company up to €20 million or up to four percent of their revenue from the previous financial year.

According to DLA Piper’s report, the lower fines are applied in response to the breach of obligations to the controllers and processors (including breach notification obligations), certification bodies, and monitoring bodies as described in the regulation. The higher fine is applied when there is a breach of the “basic principles for processing including conditions for consent, data subjects’ rights, international transfer restrictions, any obligations imposed by Member State law for special cases such as processing employee data, [and] certain orders of a supervisory authority.”

According to Wigand, the fines that are collected will go back into the country’s budget. How the money is used will be determined by the individual country.

The enforcement of the GDPR is the responsibility of national data protection authorities, together forming the European Data Protection Board (EDPB), Wigand explained.

“The only company that I’ve seen that’s a big news story as far as GDPR enforcement was that fine that they imposed on Google,” said Matt Hayes, vice president of SAP Business at Attunity, a data management company. “And I believe Google is challenging it, but I haven’t seen too much enforcement of GDPR outside of that.”

According to Hayes, there is a lot riding on the outcome of Google’s case if they try to fight the fine. “If Google can fight it and win it, that is problematic. If Google doesn’t win it, then I think it’s something that a lot of companies will notice.”

Enforcement leads to compliance
Hayes expects enforcement to pick up soon, if the EU hopes to ensure compliance. If enforcement remains as lax as it is, companies will continue only loosely complying with the law, he explained.

For example, Attunity provides a product that deals with the right to be forgotten. Hayes believes that some of their customers have bought that product but haven’t implemented it. “We’ve seen some companies say just by owning [Attunity’s] software we can demonstrate some level of compliance. So they can actually own our software and not implement it.”

Hayes believes we’ll continue to see this slow compliance, unless there is a concrete reason for companies to really speed things up. “I think we’re going to see companies say, look we’ve taken a few baby steps towards GDPR, but the minute that they find out that they’re going to be audited, or the minute that there’s some enforcement in their industry, they might then decide to tighten the screws up a bit.”

According to Gary LaFever, CEO of Anonos, different countries have been taking different approaches to audits. The law is being enforced on a country-by-country basis, rather than a single entity doing it for the EU as a whole.

For example, in Italy they are doing audits in conjunction with the tax collectors. “They’re going in and they’re just doing random audits of people to see if they’re in compliance with the GDPR,” said LaFever.

But despite the slow enforcement of the law, many organizations have made changes to their data practices, which has led to structural, technical, and cultural changes within organizations.

“From an organizational perspective, I’ve seen a lot more today of teamwork at companies,” said Scott Giordano, a privacy attorney, IAPP Fellow of Information Privacy, and vice president of data protection at Spirion, a data security software provider. “Think about legal and compliance, risk management, HR, internal audits — they’re all now at the table, whereas previously it really was confined to IT and IT security.”

Companies now have to be aware of where all of their data is stored, which is something that a lot of companies struggled with, and still continue to struggle with, explained Tim Woods, vice president of technology alliances at FireMon, a security company.

John Pocknell, senior solutions product marketing manager at Quest Software, explained that the person to do that identification is a database administrator (DBA). Having someone in place to oversee data isn’t a requirement of the GDPR, although having data protection in place is. Now, Pocknell is seeing U.S. companies start to put people in place whose main responsibility is to protect the company’s data. “So even though it’s not a requirement, we are beginning to see DBAs become more big in that sort of data protection role.”

As a result of the GDPR, companies have put more of a focus on accountability when it comes to their data, said Jean-Michel Franco, senior director of product marketing at Talend, a data integration company. There should be someone at every company who is held accountable for how the company is complying with the regulation. “I think this was the most important change and the most impactful change,” said Franco. “Until the company had the DPO (Data Protection Officer), GDPR remained something a little abstract and something a little boring, and a regulation that they didn’t care much about. Once a DPO has been nominated, it changes the way that the enterprise proceeded.”

Companies need to decide whether they should hire a data protection officer, explained FireMon’s Woods. If a company suffers a breach, and they’re found guilty of not doing their due diligence — things like not having a data protection officer or not running internal assessments — then the fines could be much higher. “You have to provide them a way to be forgotten, you have to author a right of erasure or elimination or the right to be forgotten, once you have my information and if you don’t provide that and a breach happens, then you’re going to be found at fault,” said FireMon’s Woods.

“I think as corporations look at this, it’s going to have them questioning what they are doing from a response perspective,” said Woods. Companies will have to start asking questions like: “‘What am I doing? Are we running data impact assessments? If we don’t have a data protection officer, should we get one now? What are we going to do when a breach occurs? — Not if, but when the breach occurs — Not understanding the significance or how deep that breach may be, but what’s going to be our posture in response to that when we have to notify the DPA, the Data Protection Authority, within our 72-hour quote unquote period? How are we going to be perceived as a company from a readiness position?”

Quest’s Pocknell believes that a lot of companies were not prepared for the regulation. Companies may have started on the path, but in light of reports of recent big data breaches from companies outside of the EU, it’s a wake-up call that this is something everyone should be addressing.

Wigand believes that companies were given sufficient time to prepare for the regulation prior to its implementation in May 2018. The GDPR was adopted in December 2015, and guidelines on how to apply the new rules were published by the commission in January 2018.

The GDPR has been a double-edged sword for companies
Overall, the GDPR has led to positive effects for consumers, and negative (and some inadvertent positive) effects for companies.

“At HubSpot, we believe that GDPR is a good thing for the sales and marketing industry,” said Jon Dick, vice president of marketing. “It puts our industry down a path that we believe in deeply, a path of being customer first, of abandoning spammy tactics, and of being more inbound. Today to be successful, it’s not just about what you sell, it’s about how you sell. The companies that are doing this well provide an exceptional experience and are transparent about how they’re using your data.”

And while overall the GDPR has been good for consumers, most consumers still don’t know much about the GDPR. According to research from HubSpot, only 48.4 percent of consumers in the EU were familiar with the regulation and 63.9 percent of consumers in the UK were familiar. They also found that EU consumers are less familiar with the GDPR this year than they were in 2018 (32.9 percent in 2018 vs. 26.3 percent in 2019).

From the perspective of organizations, there are a few potential negatives to non-compliance. In addition to the financial penalty of not complying, there are also business risks if something were to happen to data that you weren’t protecting properly, Quest’s Pocknell explained. “You wouldn’t want to be that company that bestows personal data into the public domain. Yes, you’re going to get a fine, but imagine how much business you’re going to lose,” he said.

Another negative is that a lot of companies have lost a lot of their contacts, Talend’s Franco said. Companies that didn’t have consent to the data struggled to get consent when they followed up with those users as the law went into effect. On the flip side, some companies used this as an opportunity to connect with their customers and establish trust by being transparent about why they wanted the data and how it would be used, Franco explained.

Gary LaFever, CEO of Anonos, a data company, believes that this data loss could be catastrophic. He mentioned a study by IDC that found that a top five hospitality firm had deleted two decades of customer data. “Now they have no means of tracking historically how new initiatives that they have compared against what they’re done in the past,” said LaFever. “So particularly for AI and analytics that includes a baseline that includes what’s happening today and what’s been done in the past, you lose access to that data.”

LaFever notes that this doesn’t really apply for highly regulated industries that likely are required to maintain a separate copy of their data for audits or inquiries.

But beyond the regulation itself, the process of preparing for it has had a positive impact on organizations. By taking a deep look at their data practices, companies have been able to make better use of their data, and develop better practices for handling their data — even beyond the requirements of the GDPR.

According to Giordano, the GDPR has forced organizations to look at every element of the life cycle of personal data, including “how you’re collecting it, how you’re using it, how you’re sharing it— perhaps most importantly — and then disposing of it,” he said.

For example, Talend’s Franco has worked with a company that now has a better understanding of where all of their data is, so they are able to leverage it and use it for analysis. “They took the opportunity to get control over their data.”

Franco notes that he believes this to be true only for large corporations. There are a lot of companies out there that only did the bare minimum to be legally in compliance, he explained.

FireMon’s Woods believes that companies have begun to reassess how ready they are to respond to a breach. He believes that this is more attributed to the rise of breaches in general, rather than a direct result of the GDPR, though the GDPR does put more pressure on companies to respond to breaches faster. According to DLA Piper’s report, 59,000 personal data breaches have been brought to the attention of regulators since the law went into effect, as of February 2019. Those breaches range from minor ones, such as an email accidentally being sent to the wrong recipient, to major attacks that affect millions of people.

The GDPR gives companies 72 hours from discovery of a data breach to response. According to Woods, those 72 hours are like a second when you have to identify how you’ve been breached, the scope of the breach, such as how many people were affected and how much data has been affected. Not only that, but you have to notify the Data Protection Authority that you’ve been breached. “So 72 hours is not a lot of time to prepare, I think to understand what the extent of a given breach is.”

For example, last year it was revealed that Marriott had a breach that goes back to 2014. “I mean how do you assess a breach that goes back that far? How much information has actually been compromised?” said Woods. “So I think probably for the EU, GDPR has had an impact. I think in general for the U.S. and other countries, I think the rise of breaches in general are causing people to better their posture from a breach incident reporting and forensics gathering position.”

GDPR is paving the way for more data regulations
“A lot of the companies outside of the European Union regardless of whether or not they use data that originated from the European Union are taking a look at where they stand,” said Pocknell. The GDPR is just the beginning. Other data regulations are beginning to pop up now as well. The most noteworthy one is the California Consumer Privacy Act, which was announced last year, and which will go into effect in January 2020.

Industry experts expect that other states will soon follow suit with their own regulations. California is paving the way, but more will come soon, FireMon’s Woods believes. “I think all the states are following California’s lead right now on what they’re going to do from a personal privacy perspective to protect users. So no doubt. Everybody’s going to be following that.”

“My guess would be that a year from now we’ll probably see two or three or four other high-profile states passing data protection laws,” said Attunity’s Hayes.

The GDPR doesn’t cover everything
According to Hayes of Attunity, a data management company, the laws are more descriptive than prescriptive. This can cause some headaches for companies who are trying to figure out what they need to do to be compliant.

For example, there’s nothing definitive in the GDPR about personal data on backup tapes, Giordano explained. But if personal data is restored from that backup tape after it had been deleted, organizations will have to go in and make sure that that data gets redeleted. This probably means organizations need to rethink their backup practices.

Another scenario that’s not really addressed by the GDPR is tourism, Giordano explained. “Say that you’ve got an EU person and they’re here on vacation. Are they covered by the regulation? The GDPR doesn’t touch that and doesn’t really comment on it. Even some post GDPR commentary didn’t do a very good job of talking about it.”

Legitimate use can be used in place of consent
According to LaFever of Anonos, there are six legal bases under the GDPR for capturing data. Consent was the most commonly used one in the past, but the GDPR radically changes what counts as valid consent. “If data was collected using the old-fashioned approach to consent, it would not be legal.”

The GDPR does not have a grandfather clause that would enable companies to keep data that they collected using that old method of consent before the law went into effect.

But, according to LaFever, there is another legal basis called legitimate interest processing. If you can prove that you have the proper technical and organizational controls in place that mitigate the risk of data loss, you can use that data under the legitimate interest basis.

This is stated in Recital 47 of the GDPR, which says: “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” Recital 47 also states that processing data necessary for the purposes of preventing fraud and processing personal data for direct marketing purposes may be considered legitimate interest.

Article Tags

data, GDPR

About Jenna Barron

Jenna Barron is Executive News Editor of SD Times.

View all posts by Jenna Barron

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

GDPR one year later: Slow compliance, lax enforcement

Article Tags

Subscribe to SDTimes

About Jenna Barron

Related Articles

Redpanda launches serverless offering for its streaming data platform

Google Safe Browsing now performs real-time checks in privacy-preserving manner

SD Times Open-Source Project of the Week: OpenHouse

Data integration and alignment will dictate generative AI’s impact on digital transformation