GDPR Impact Being Felt Worldwide By Companiesbr>
It’s been several months since the EU’s General Data Protection Regulation (known by the initials, GDPR) was passed into law. Since then, companies have scrambled to comply with the new law, which requires data protection and limits marketing initiatives.
Daryl Crockett is the CEO and founder of ValidDatum, a Massachusetts consultancy that helps companies comply with the new law. She answered a few Block Tribune questions on how much progress has been made since the GDPR passed,
BLOCK TRIBUNE: The GDPR has been in effect for a while now. Have there been any notable lawsuits?
DARYL CROCKETT: Lawsuits have started by larger companies, who have been served notices leading to fines, over the interpretation of the law. In addition, class action and civil suits have begun on the behalf of EU data subject as a result of a data breaches.
Facebook experienced a recent data breach (2cnd October 2018) which could result in $1.6 Billion USD. The notice was filed by the Irish Data Protection Authority and will be the first major legal test for a large company fined under GDPR.
In addition, AggregateIQ , a Canadian data acquisition firm, has been issued a notice from the UK ICO for improper use of personal data in political campaigns and will be subject to large fine – the company has started a legal defense challenging the charge.
The most notable class action suit filed to this date is against British Airways on the behalf of the 390,000 customers whose data was compromised – there is an estimate of $1600 USD penalty per subject if suit is upheld.
BLOCK TRIBUNE: Has there been any effect on businesses outside of the EU?
DARYL CROCKETT: Absolutely, in the US for example, companies are beginning to understanding compliance to GDPR is not optional. The IAPP estimates 60% of US companies have absorbed the cost of at least starting a compliance program (on average , $500,000 or greater).
Any IT program involving personal data should include fundamental tenets of data privacy including Privacy by Design and by Security in all operational and technical components of an organization. Doing this will be less costly in the long term and will position a company to be in compliance with any global data privacy regulation.
BLOCK TRIBUNE: How soon do you see the GDPR type laws starting up in other countries?
DARYL CROCKETT: A comparable act in Brazil will go into law in 2020. China has signed a data privacy act which went into law this year. California signed into the law the California Consumer Protection Act this year – the CCPA will become law in 2020, and as California’s action in securing the pharmaceutical drug supply chain led to a US Federal law (DSCSA), there is opinion the CCPA will force the Federal government to develop a US Federal data privacy law.
BLOCK TRIBUNE: Is there any movement underway to modify or otherwise amend the GDPR?
DARYL CROCKETT: The GDPR itself has not been amended since going into law 25h May 2018. However, the GDPR itself allows for each member state and their respective data processing authority (DPA) to set their own country-specific, or in the case of Germany, their own state-specific ( in Germany, there are 16 state specific laws) data privacy laws. For instance, in the UK, the Data Protection Act of 2018 (DPA 2018) complements GDPR – when interpreting and complying with the law in the UK, GDPR and DPA 2018 must be adhered to collectively. So figuring out what rules to comply with is becoming a real challenge! Companies must keep up with the changes in the legislation.
BLOCK TRIBUNE: What are businesses telling you about how they have been affected by it?
DARYL CROCKETT: In the US, we are finding certain business sectors are either blissfully unaware they need to comply, or there is confusion with the plethora of conflicting and overlapping regulations in the US (e.g. HIPPA, PCI-DSS, Graham Leach Bailey, New York DFS Cybersecurity, etc.).
We are hearing from our London team, that customers are requesting more guidance relative to the more complicated provisions of the law. With the first wave of penalty notices now sent out by authorities the concern is growing.
BLOCK TRIBUNE: Is it a good law, or one that needs a lot of modification, in your opinion?
DARYL CROCKETT: The dawning of a new era in Data Privacy and Security is long overdue. Based on the number of successful cyber-attacks in the last five years, the GDPR is long overdue.
The GDPR and EU member state laws are onerous and contain extremely high penalties relative to US privacy laws. The expectation from our end is that some of the fines under the law will be challenged in court – while other articles of the law are very straightforward and not open for interpretation.
For instance, many companies must hire a Data Processing Officer (DPO) under the new law. There will be ample time (more than likely, a one year grace period after the law was enacted) during which regulators will allow companies to hire DPO’s. But if a company does not comply with this provision and there is a data breach, there will be little defense against fines. And there are not enough qualified DPO’s to go around!
Is the law overly onerous? The bottom line from our vantage point: The regulation was signed into law in 2016, providing a two year lead time for companies to comply – or at minimum, to have started a well-developed compliance plan. There is no question compliance to these regulations can be costly and disruptive to a business, particularly in large, mature businesses with complex computer systems. However, while organizations should be concerned, forward-thinking companies are using the GDPR as impetus to not only to turn their privacy and data security policies into an asset, but to increase their competitive advantage in a market place which is demanding greater security of personal data. In our opinion, individual data privacy rights cannot be ignored.