Today’s the day: The European Union (EU) General Data Protection Regulation (GDPR) becomes fully implemented. GDPR enforcement begins in earnest. It really is a watershed moment for threat detection, data privacy, and cybersecurity—and enterprises around the globe are scrambling to adapt.
According to research by Capgemini, 85% of enterprises surveyed last week were not ready for GDPR enforcement. Simultaneously, Fortune 500 companies have spent nearly $8 billion combined to achieve GDPR compliance.
American enterprises need to remember that they are not exempt from GDPR enforcement: in fact, quite the reverse. If your enterprise collects any data on EU citizens, you are liable for the heavy fines and litigation that comes with a GDPR compliance violation.
There have been a lot of headlines today surrounding GDPR enforcement. But one headline in particular should give enterprises pause:
“Forced Consent” Will Most Likely Not Fly For GDPR Enforcement
European privacy group None of Your Business (noyb.eu) has already filed a complaint against both Google and Facebook for forcing users to consent to their data usage terms or be outright denied service. While it is as yet unclear whether this will fall under GDPR enforcement, noyb.eu argues that both the letter and spirit of the law says that users should have a real choice in how their data is used. The days of a simple checkbox for “agreeing to all terms” are over.
If the EU does find Facebook and Google guilty of a compliance failure, the combined fine could total around $7 billion.
What Should Enterprises Learn?
It’s better to be safe than sorry; give your EU customers a genuine choice in how their data is used. If they deny permission to certain data usage, you shouldn’t block services to those customers.
Customers also possess the right to be forgotten—the right to ask that all of the data a company has collected on them is deleted. The EU will (most likely) want companies to allow those customers to have access to their services equally. In other words, the consent protocol has to be implemented properly and in good faith.
According to Max Schrems, head of noyb.eu, in an interview with ZDNet: “you do have the legal power to use all the data that’s necessary for your service anyway. Limit consent to what’s really interesting, which is the stuff that’s not really necessary for a service — the add-ons the companies want to make money on.”
“Consent does work if it’s a really specific question you’re asking, like ‘Do you want to have personalized advertising or not?’ It does not work with a long list of everything you want to do with data.”
Other GDPR Enforcement Advice for Enterprises
Your enterprise needs to keep the following in mind:
- All EU citizens have the right to see the information your enterprise collects about them.
- If your enterprise suffers a data breach, you must tell all affected users and the EU overseeing authorities within 72 hours of discovery.
- Each EU member state has its own supervisory authority.
- Even if your enterprise has less than the minimum 250 employees for compliance enforcement, you may still be liable for GDPR enforcement if your data collection has severe privacy rights implications.
If your enterprise is struggling with GDPR enforcement, or if you don’t know where to start or how to move forward, check out the “Best Practices and Essential Tools for GDPR Compliance” courtesy of SIEM vendor AlienVault.
Latest posts by Ben Canner (see all)
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020
- Recent SIEM Statisitics for Cybersecurity Professionals: Q3 2020 - September 11, 2020