Subscribe
AdobeStock_156482624

Felix Rosbach l Jan 17, 2019 l GDPR, Data Protection, Compliance

GDPR - Biggest Fail of 2018?

I recently read a post in which someone claimed that GDPR was probably the biggest fail of 2018.

Really? I can’t stop myself from writing a comment here – I’ll keep it short though. Maybe.

Have you heard about GDPR?

2018 was the year of GDPR - no question. Around May 25 it was everywhere. Before that date it was all about compliance. The date came and then everyone waited to see who was going to be the first one to be called to account by the respective authorities. And then nothing happened (or at least it felt that way).

Now we’re in 2019 - and in a few months, the regulation will have been here for an entire year.

Is this good or bad? Do we have a fail here?

Everyone thinks that privacy in its abstract form is a good thing. From a consumer perspective, these regulations are incredibly important. First, technology has evolved with an unbelievable speed in recent years. Too many consumers are realizing what “data usage” actually means way too late.

Second, large corporations like Facebook or Google can make use of the enormous leverage they have on consumers. How many of us immediately accepted Google's recently updated terms and conditions without reading them? We knew we all were going to accept them anyway - nobody wants to renounce Google (chapeau to the few of you who do - you're my personal heroes).

So, if we deal with the question of whether GDPR was a fail, we have to do that from a business perspective.

What did the regulation mean for companies?

There was no choice

Regulations in the tech industry are very complicated. The dynamics in which the market develops, the speed of new start-ups and, of course, new ideas are enormous. In addition, technology has now penetrated all verticals. Even the smallest SMBs now manage sensitive data and can become the target of an attack.

So what is being done to regulate companies?

One possibility would be to let the individual European countries regulate this themselves. However, this creates silos - and none of us likes this word (unless you come from an agricultural background).

With a population of 508 million people, the European market is one of the largest in the world - as long as it is unified. Businesses - especially small businesses and start-ups - are more likely to offer their goods and services across borders if they do not have to follow specific laws for each country. This also applies to companies in the US - which can now rely on a unified data protection law when offering their services in the EU, thanks to GDPR and EU-US the Privacy Shield Framework. Imagine having to cover 27 different regulations in a foreign market! They’ve got enough trouble as it is keeping the various privacy laws among all 50 States in order.

Furthermore, it is enormously difficult for the EU to find the right level of regulation. That’s another topic – but anyway they did it - and it's a step in the right direction.

But how do companies see that?

The impact for companies

By May 25, 2018, all companies were 100% compliant.

At least almost all.

OK, some.

A few?

Alright, none. Maybe that’s an exaggeration. Or is it?

Basically, here you can divide it into two sides. The external “image” side, you could also call it the GDPR marketing side, and the side involving implementation of technical measures to protect the data.

Externally, many companies indicated that they were doing everything to be GDPR compliant; from sending far too many consent emails to banning European traffic from US websites. We’ve seen it all.

What used to be the 95 theses of data protection nailed to the door of GAFA a few years ago now hangs in every barber shop in the EU. And so everyone - at least to the outside - tried to be personally compliant. Wunderbar.

But what about actual privacy and data protection?

Many companies, if not most, have still NOT done everything necessary to protect the privacy of their customers. Whether it's the complex processes - or the technical countermeasures to minimize the risk of breaches. It is not easy to keep up here.

GDPR is very open for interpretation. There will be no 100% compliance. Like Article 32 which requires data controllers to 'ensure a level of security appropriate to the risk'. What does that actually mean? On what terms are security measures deemed appropriate to a given risk?

Nevertheless, the regulation is not bad. It provides the groundwork for evaluating the behavior of companies that deal with data. This becomes clear when we look at two cases from the last few months:

Recent GDPR Fines

Germany:

A chat platform was compromised by hackers in September 2018. PII of 330,000 users was subsequently made publicly available.

Fine: 20,000 € (~22,900 USD)

In case you’re asking “why so little?”

  1. They reported the breach promptly
  2. They cooperated closely with the DPA
  3. They immediately followed the recommendations of the DPA

Portugal:

A Portuguese hospital had poor account management practices. There were 985 active accounts for doctors in the database and even though only 296 doctors worked in the hospital, every doctor had access to all patient records, regardless of his or her specialty.

Fine: 400,000 € (~458,000 USD)

Clearly, a lot depends on the willingness of companies to deal with the issue.

Conclusion

So, was GDPR a fail?

In my opinion, absolutely not. Sure – on the one hand it could have been less stressful but, on the other hand, companies should be doing more to protect our privacy. There are many other ways to solve this problem – and there might be better ways. But bear in mind: technology is one of the most difficult things to regulate, however, if it weren’t regulated at all – this would not only be bad for customers,  but also for companies trying to do the right thing. When it comes to fines, there could be more transparency – but I like the idea that “good companies” will be able to avoid or minimize fines by proactively working on issues – while lazy companies have to pay for their complacency.

At the end of the day, breaches are not always avoidable.

Keeping that in mind – the protection of data is more important than ever - and will remain so. This affects not only the IP of companies - but also the data of their customers - and thus the very important relationship of trust. GDPR is only the beginning - more and more comparable regulations are coming.
Share this:  LinkedIn XING Email

What does your company do to protect data?

Data breaches have become so frequent that it's more a question of when rather than if they will happen. Data-centric security is the best method to protect the data itself and thereby minimize the impact of breaches by rendering it useless to attackers. And the best part is, this can be done without interrupting business processes!
Click the button below to download our white paper: "The Choice is Yours: Adopt Data-centric Security or Risk GDPR and PCI Non-Compliance."

Download White Paper

Related posts

How to Stay Agile and Compliant with Format-preserving Protection for Analytics

Aug 4, 2022 l GDPR , PCI DSS , Compliance , Big Data Analytics , CCPA

How to Stay Agile and Compliant with Format-preserving Protection for Analytics

Cloud-based analytics offer a truly transformative opportunity for global organizations. By extracting insights from data, they are already helping companies better serve their customers, improve operational efficiencies and make better business...

Read more
17 Countries with GDPR-like Data Privacy Laws

Jan 13, 2022 l GDPR , Data Protection , Compliance , CCPA

17 Countries with GDPR-like Data Privacy Laws

GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation with extraterritorial applicability is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by...

Read more
The New Indian Personal Data Protection Bill (PDPB) Compared to GDPR

Aug 31, 2021 l GDPR , Data Protection , Compliance , Asia-Pacific

The New Indian Personal Data Protection Bill (PDPB) Compared to GDPR

The EU’s General Data Protection Regulation (GDPR) has been around for some time now and has set the stage for other countries and regions to follow suit. As such, understanding a new data protection regulation can be fast-tracked by looking at the...

Read more

Service

Germany

comforte AG
Abraham-Lincoln-Str. 22
65189 Wiesbaden
Germany

Phone: + 49 611 93199 00
Fax: + 49 611 93199 05

Australia

comforte PTY
Suite 20, 1 Rivett Road
North Ryde
NSW 2113
Australia

Postal Address:
PO Box 1710
Lane Cove
NSW 1595
Australia

Phone: +61 2 8197 0272

USA

comforte Inc.
30 Wall Street, 8th Floor
New York, NY 10005-2205
USA

Phone: +1-646-438-5716

Singapore

comforte Asia Pte. Ltd.
1 Raffles Place, #19-61 Tower 2 
Singapore 048616

Phone: +65 6808 5507

© comforte AG 2023