Compliance Management, Privacy

GDPR is on the books, Google, Facebook face lawsuits, others scramble to comply


GDPR has been in play for less than 24 hours and several lawsuits have already been filed in the EU against Facebook and Google claiming each is not abiding by the new privacy regulations.

Many websites have also gone dark in the EU, including the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun, because they're not GDPR compliant, according to the BBC. Whether or not such drastic action was truly required to protect a potentially non-compliant company is debatable said attorney Aaron Tantleff, a cybersecurity and privacy partner with Foley & Lardner.

"While some of the companies going offline are most likely doing so because their business model depended, in some part, upon processing personal information in what would be in conflict with the GDPR (and perhaps in conflict with the former data directive), likely making them prime targets for early action and substantial fines, the majority of those going offline probably did not need to. Many of the companies going offline subjecting themselves to ridicule on the internet allowing the commentators to draw conclusions and labeling such companies as evil," he said.

The lawsuits hitting Facebook and Google were filed by Austrian lawyer Max Schrems who runs the NGO, None of Your Business, CNN has reported. The suits were filed in French, German, Belgian and Austrian courts. CNN cited sources that said Facebook is already breaking the regulation by continuing to collect information political opinions, religious beliefs, ethnicity and sexuality without their users' permission and is doing so by pulling together disparate bits of data on its user page.

“With its strict guidelines on how personal data is handled, the GDPR is poised to be the single greatest compliance event in decades and will be a wakeup call for businesses that are not prepared. Here's a tactical look at approaches to avoid those hefty fines that could be up to $24.5 million or four percent of a company's annual revenue, depending on whichever cost is higher for the non-compliant company to pay,” said Michael Aminzade, Trustwave's vice president of global compliance and risk services.

Steve Durbin, managing director of the Information Security Forum speaks with SC's Executive Editor Teri Robinson on GDPR.

The run-up to GDPR's implementation was also not without its problems, said Terry Ray, Imperva's CTO, noting that the website of the U.K. Information Commissioner Office (IOC), responsible for protecting information and privacy rights, crashed when thousands late requests for information poured in on May 24, an act that was totally preventable with a little forethought.

“While predicting the volume of last-minute traffic to a website can be difficult upon go-live, there are solutions, particularly those in infrastructure and platform as a Service, that makes scaling web infrastructure to meet elastic demand readily available," said Ray. "This is how online retail and others meet demand in their peak seasons, yet scale back infrastructure the rest of the year when throughput is lower to save costs.”

The ICO site is now back up.

Even though the deadline has passed it's not too late for companies to become compliant and for those that are still in the process of getting their GDPR ducks in a row, the EU is expected to be lenient.

Russ Lowenthal, Oracle's director of product management for database security, said during an SC Media webcast that companies showing good faith toward implementing GDPR privacy standards will likely not get hit with the full force of the regulation if they are not yet compliant.

Anupam Sahai, Cavirin's vice president of product management, agreed, explaining that not even the regulators are prepared at this point to enforce full implementation.

“First off, this isn't like Y2K nearly two decades ago. Your systems won't suddenly stop working, and the EU regulators aren't going to be slapping you with a 4 percent fine anytime soon,” Sahai said.

For those companies that are well-behind the GDPR curve, Chris Morales, head of security analytics at Vectra, suggested several steps that can be taken immediately to begin to correct the problem.

“First, review all of your privacy notices and make sure they accurately reflect what your organization is doing, are easily understood by users, and are not hidden deep inside other legal terms," he said. "Second, make sure you aren't collecting lots of data that would put you at risk on day one and you don't have a need for. Finally, verify that you are keeping records on what you are doing for GDPR in case a problem does arrive.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.