'Regulation without teeth is just a document': 6 months in, industry awaits major GDPR enforcement

In July, the United Kingdom's Information Commissioner's Office quietly issued the first notice of General Data Protection Regulation enforcement to a Canadian analytics firm.

Last week, German data protection authorities (DPA) handed down the country's first sanctions in the form of an almost $23,000 fine to chat platform Knuddels.de, reports Bleeping Computer. The company suffered a breach in July that compromised 1.8 million usernames and more than 808,000 email addresses.

But for the most part it's been quiet. Some would say too quiet.

While GDPR has forced businesses to reevaluate their relationship with consumer data, many are dragging their heels on compliance or treating it as a one-off. Going into 2019, all eyes will be on European regulators, waiting to see when they hand down the first major fine or penalty to a noncompliant company.

In the U.S., comprehensive data privacy and protection rules are lagging. A federal data privacy law could be years away, but state legislation with GDPR-like principles are slowly beginning to shape data processing and handling practices.

What the experts say

GDPR's implementation hasn't gone off without critiques.

The people and processes were put in to meet the first deadline, but compliance wasn't necessarily looked at from a sustainability standpoint, according to Chris Babel, CEO of TrustArc, in an interview with CIO Dive.

Although a "good idea," GDPR started from the bottom instead of the top and hasn't been implemented well, eBay CEO Devin Wenig said, speaking at The Washington Post's The Technology 202 Live event in Washington in October.

The wiring should come after figuring out the problem, he said. "You know, we were slapping cookie banners on websites before we were answering the question of, 'What are we really trying to solve?'”

Assessing the impact of GDPR, it's important to take into account geographic location.

U.S. industry is still lagging in GDPR compliance, according to Crispen Maung, chief compliance officer at Box, in an interview with CIO Dive. Europeans have been talking about GDPR for a longer period of time and are more directly under its purview, so compliance is higher.

The chaos surrounding Brexit has afforded many companies breathing space, he said. It's not a reprieve, but extra time to get the house in order.

GDPR has pushed more businesses and professionals into the field of information security to understand not only the appropriate, but also ethical use of data.

It has also increased the discussion about how businesses can engineer privacy, according to Jen Brown, data protection officer at Sumo Logic, in an interview with CIO Dive. Privacy engineering is taking off as a new career track in the industry as privacy and design are increasingly baked into business from the onset.

Improving the processes and controls around data and embedding those protections into all areas of a business will be a recurring responsibility for organizations.

One area that hasn't received a lot of attention is GDPR's effect on B2B relationships, according to Babel. There is more debate in contract negotiations between companies about which party controls what or what it's responsible for, which demonstrates that companies are holding each other strongly accountable.

What to look for in 2019

Many experts expect to see fines and more notices come down the line next year.

There are rumblings that regulators are getting ready to come after companies not taking it seriously, according to John Visneski, director of information security and DPO at Pokemon International, in an interview with CIO Dive. For now, the regulation is still the highest bar for businesses to meet at the moment, from a regulatory and ability to enforce standpoint.

Regulators will continue quietly issuing notices until they have built up enough precedence to be more vocal, predicted Maung. The next year is likely to be relatively quiet as data protection authorities continue to define and redefine their processes.

Every European can raise a complaint with a company, and right now regulators are sorting through thousands of requests. This process gets complicated as it goes across geographic lines.

If a French citizen raises a complaint against a German company, they go to their French DPA, which must then contact the German DPA in the right district, Maung said. There isn't enough muscle memory for that to be an efficient process yet, but will be more established as the regulation ages.

Looking at precedent from other huge regulations, such as Sarbanes-Oxley, HIPAA and PCI, these often took many years and multiple fines for organizations to really step up and care, Matt Radolec, security architect manager at Varonis, said in an interview with CIO Dive.

But with compliance it's important to remember not to look at the deadline as a destination but rather as a step to the end goal of using data more responsibly and securely and protecting customers.

A quiet six months has drawn concern that if significant regulatory action doesn't happen soon, people will stop caring about the regulation.

A regulation without teeth is just a document, said Radolec, and until regulators start handing down real penalties many parties that haven't taken it seriously yet still won't be motivated. Whether its 2019, 2020 or 2025, it's going to take a headline news incident with hundreds of millions of dollars to really get people's attention.

In 2019, organizations need to continue the ongoing path to compliance. Ensuring that data maps, processing systems and data subject request processes are sufficient will help a company show it exercised due diligence, he said.

They also need to continue thinking about privacy holistically, because the flashlight has been shone and it's not going away, Brown said. Just focusing on GDPR or the California Consumer Privacy Act won't be enough.

Can we expect a US version?

Some of the top executives and businesses in the U.S. have called for a U.S. data privacy law. After a handful of high profile data breaches in the last few years, consumer calls for more protections have also mounted.

If the U.S. passes its own version, it could do it "very, very differently and do it better," according to Wenig. The country needs to start with the question, "What privacy problem are we trying to solve?" and figure out how to accomplish those goals without "screwing" the companies that are beacons of innovation.

When asked if the White House is thinking about privacy legislation, Abigail Slater, special assistant to the president for tech, telecom and cyber policy at the White House Economic Council, said at the Technology 202 event that the White House is willing to work with Congress on privacy legislation.

Institutions such as the National Telecommunications and Information Administration, National Institute of Standards and Technology and Department of Commerce provide a "thoughtful policymaking process" for people to go through and be a part of the process, she said.

Big tech has called on Congress for privacy regulation, especially in the hopes of overruling mandates in California's privacy bill, including where information is stored, how quickly data requests need to be filled and the size of fines. Many industry associations are pushing for voluntary standards in place of legal mandates, which critics argue would not be binding enough for meaningful change.

There is a fair amount of commercial pressure not to enact a federal policy, according to Radolec. The current administration is very pro-business, and data privacy regulations aren't cost cutting.

Based on the fact that not a lot of full blown regulations have come through during the administration so far, it seems more likely the White House would opt for executive action, he said. A privacy law is not likely to come during an election year, either.

If a U.S. version were to come down the line, Brown advocated for a provision around privacy education for youth. "We've become such a wired society," she said, and privacy and security need to be taught from a young age so people don't think that data is free.

States still lead the charge

For now, California continues to lead in the U.S. with the California Consumer Privacy Act, which will go into effect at the start of 2019. As the epicenter of the American technology industry, the California economy is unavoidable for many businesses around the country.

Colorado also enacted the Colorado Protections for Consumer Data Privacy Law in September — a strategic move for a company looking to attract more tech companies into its borders.

These frontrunners are expected to shape state policy in the rest of the U.S. New York will likely be the next to follow suit, with the rest of the Northeast, especially Massachusetts, Connecticut and New Jersey, likely to follow close thereafter.

State regulations still have less teeth than GDPR, which makes it harder to get organizations to demonstrate their compliance. They also aren't as prescriptive as the European standard.

Businesses that are GDPR compliant that now are looking to CCPA can breathe a sigh of relief. "If you've done GDPR and then looked at what you need to do for CCPA, you're 87% done," said Babel. There are some twists and tweaks, but at a foundational level one helps the other.

Some businesses opted to segment European users and reach GDPR compliance with that subset but not their entire business. With CCPA around the corner, many now have to do many of the same processes again for the rest of their business — a big time and resource sink, according to Babel.

Had they implemented compliance for the entire business from the start, it would have been easier.