GDPR One Year Later: Was the Hype Worth It? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // Big Data Analytics
07:00 AM
Tim Reilly, COO of Zettaset
Tim Reilly, COO of Zettaset

GDPR One Year Later: Was the Hype Worth It?

Only time will tell with how GDPR and regulators can keep up with the influx of breaches and violations, but that doesn't mean GDPR is something to brush aside.

This time last year, companies were scrambling to get compliant with the EU’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and aims to give individuals more control over their personal data. GDPR applies to any company that holds personal data of individuals residing within the EU, and failure to comply with GDPR could cost companies up to €20M or 4% of annual global turnover. As a result, we saw most take a ‘sky is falling’ approach leading up to the enforcement deadline.

According to a PwC survey, more than 40% of companies, including American companies with a data presence in the EU, spent over $10 million preparing to comply with GDPR, but according to an April 2019 study, only 27% of U.S. companies are fully compliant, and most are just winging it and hoping not to be breached.

Should they be worried?

Of course, in the long term, compliance should be a priority. But the short-term legality is not so cut and dried. Looking back one year later, was all the fear and confusion around GDPR worth all the hype it was given?

In reality, probably not.

Global enforcement is nearly impossible

Security enforcement at a global scale like GDPR makes it nearly impossible to enforce right out of the gate. Need proof?

Per regulations, data breaches must be declared within 72 hours after they have been discovered, and proper authorities -- and affected data subjects -- must be notified.

However, there have been over 59,000 data breach notifications this year -- and only 91 fines. We’re not seeing proactive enforcement, but rather solely reactive.

Of course, higher-priority breaches have taken precedent, but many organizations are still waiting to hear from regulators if any action will be taken against them at all, and it’s been months. This enforcement backlog is only expected to keep piling up.

Should regulators instead look to follow and implement something like the successful California S.B. 1386 regulation? This law, which went into effect in 2003, regulates the privacy of personal information, and has seemed to do a better job than GDPR so far.

Tech behemoths have no real incentive

There are many big companies like Google, Netflix and Facebook that are still trading bad third-party data. But even if these companies hide a breach from the public and get caught by GDPR enforcement, will consumers even bat an eye? If Facebook gets hacked, not many people will walk away; users will just be forced to change their passwords and continue to use the massive social media giant’s platform.

Or take it from Google’s recent compliance fine: The French Data Protection Authority announced earlier this year that it had fined Google about $57 million, due to the company not disclosing how data is collected from users across all its services. But, is $57 million just pennies to Google? These major companies aren’t dealing with the same financial or social conscious burdens as smaller companies. They’d rather pay a fine and move on. They are not as concerned about losing customers as smaller companies. Therefore, there is little incentive for them to be compliant.

An opportunity exists

Whether or not GDPR can be enforced to the level initially feared, it brings one opportunity organizations would be remiss to ignore. GDPR requires companies to understand their data flow, what exactly is being collected, and where it is. Companies are effectively doing an audit that helps them find the most sensitive data in the infrastructure and streamline all their protection processes.

Organizations that take this exercise seriously will be better off in the long run with stronger, more secure data infrastructure. They’ll also be better able to market themselves to customers who want to know their data is secure.

Only time will tell with how GDPR and regulators can keep up with the influx of breaches and violations, but that doesn’t mean GDPR is something to brush aside. Make an honest effort to clean your data stores, delete unnecessary data, perform regular systems tests, and implement the strongest security measures possible. While GDPR may not have lived up to its Y2K-like media hype, getting your data houses in order can only be a good thing.

Tim Reilly leverages over 25 years of business, financial and operational experience at public and private companies in the networking, software and Internet industries. Prior to ZettasetReilly was the vice president of finance at Trapeze Networks (acquired in August 2008 by Belden, Inc.). Prior to that, he served as the vice president of finance at netVmg (acquired in September, 2003 by Internap Networks). He also has held numerous financial positions at WorldxChange Communications (acquired in February 2000 by World Access), CATS Software and Ernst & Young, LLP. He is a certified public accountant and earned a BS in Accounting from the University of Southern California.


The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll