GDPR - 3 Weeks Later
It’s no secret the General Data Protection Regulation (GDPR) has taken the Internet by storm. Within the three weeks prior to the enforcement due date of May 25th, 2018 <insert acceptable time zone mapping>, thousands of e-mails and website postings notified their respective users of their updated privacy policies; some requiring an acceptance of the updates terms via one-click checkboxes. While this last-minute push into GDPR compliance remained consistent over the course of a month or so prior to the deadline, let’s look at the weeks following 05/25/18 and how this response is affecting consumers and businesses alike.
Week 1 – Websites Block Traffic, Complaints Filed, Government Agencies Compromised
The immediate reaction of several large-scale media operations was to simply shut down their public access from specific areas of the world (EU). This sort of reaction may be in response to non-preparedness, needing more time to prepare or otherwise just not knowing what steps need to be completed to remove the risk of non-compliance. Most of the businesses operating out of the U.S. could be taking a reactive approach in waiting; allowing the other companies to be subjected to the fines while learning what they could have done right. A proactive approach is more justified in terms of compliance, however, GDPR leaves a few stones uncovered (or at least unclear) in a handful of policy-driven areas.
Privacy Activist Schrems quickly threw his hat into the ring, along with several others who run in his circles. Amongst the complaints filed so far are La Quadrature du Net, Center for Digital Democracy, the DPA (Belgium) and the DSB (Austria). Some of the complaints were filed against top tech players Facebook, Instagram, and Google.
Immediately following the deadline, the focus of potentially harmful data breaches expanded from the technology-based companies listed above to a Government agency; The European Commission. They reportedly and inadvertently leaked the personal information on hundreds of European citizens. Information included names, addresses, and professions as well as postal information on certain British citizens. As the GDPR is not in effect for the Commission until later this year, the breach did not require notification compliance under the GDPR.
Week 2 – New Guides, Positive Outlooks, More Guides
Immediately following the initial complaints and somewhat melancholy response via the media as to exactly how hard the GDPR was going to hit, people are starting to see the forest through the trees or something. The week of June 4th added several hundred variations of GDPR compliance guides; each one with their own roadmaps and summarizations of the GDPR definitions. All (hopefully) accurate, but only time on the Internet will tell.
One notably efficient 241-page guide can be found HERE, which outlines detailed information and a myriad of helpful links surrounding the GDPR compliance paths. June 4th, 2018 provided additional updates to the guide that’s been circling for some time now. The one-line that I get the most questions about is regarding the purpose limitation principle, i.e. how data can be transparently collected as a controlling entity of said data. The guide lays it out via the Article 5(1)(b).
“1. Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner
that is incompatible with those purposes; further processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes shall, in accordance with
Article 89(1), not be incompatible with the initial purposes.”
In Summary, via the guide – Reference Page 23 of the ICO.ORG.UK site – Guide to the General Data Protection Regulation (GDPR).
"In practice, this means that you must:
be clear from the outset why you are collecting personal data and what you intend to do with it;
comply with your documentation obligations to specify your purposes;
comply with your transparency obligations to inform individuals about your purposes; and
ensure that if you plan to use or disclose personal data for any purpose that is additional to or
different from the originally specified purpose, the new use is fair, lawful and transparent."
Week 3 – Well that’s this week!
So far, we’ve noticed an uptick in articles posted that outline the common theme of “Companies still aren’t ready”. Only 47 percent of surveyed law firms were found to be “fully prepared” to meet the GDPR requirements. It is true that most companies are still in the process of moving towards full GDPR compliance and this is mostly due to the lack of talent familiar with GDPRoutline. No companies prior to 2016 had the resources available to tackle the procedures needed to implement GDPR across the board and now they’re suffering to get something in place.
The question is, why three weeks post-May25th, 2018 <insert appropriate time zone>? Again, lack of knowledge on how to navigate the GDPR inner workings while selecting appropriate items to act on within the organization. The major fail point in the efforts towards compliance has been understanding how each compliance item relates to one another while maintaining the full knowledge of what doesn’t apply and where. A proper GDPR data discovery with associated mapping is key in moving towards GDPR compliance. This way, you’ll know where your data resides and how to secure it as it relates to the regulation. Hopefully, in the coming weeks, we see more compliance-related articles with information on how companies succeeded, rather than more posts of how everyone is still behind; three weeks later.