Kayla Matthews

@KaylaEMatthews

Cybersecurity Disclosures Post-GDPR: Have We Really Accomplished Anything?

Before the arrival of the General Data Protection Regulation (GDPR), analysts hailed it as a tremendous achievement in increased privacy measures and discussed at length how companies that found themselves outside the bounds of the GDPR were at risk of receiving significant fines.

Then, businesses of all sizes — especially small ones — scrambled to get compliant before the May 2018 deadline arrived, with many admitting they still weren’t sure of the specifics surrounding GDPR.

Now, approximately five months later, how much has the GDPR changed things?

Regulatory Organizations Have Yet to Issue Fines

Feedback from several organizations in European Union countries that issue fines for not complying with GDPR indicates they haven’t given those penalties yet.

Even once they do, the process is not straightforward and could take months or longer. The judges ruling on the cases won’t have an abundance of case law to rely on, after all.

A report published a few months before GDPR took effect showed most small businesses were not yet complying with the regulations, and only eight percent were fully compliant. There was a tremendous importance placed on being ready before the deadline.

But, given the fact that no fines have been issued yet, some entities might now wonder why there was such fuss.

GDPR Is Not the Lone Ruling of Its Kind

The amount of fanfare associated with GDPR suggested many who advocated for it felt the results would be groundbreaking. However, people have been preparing for new cybersecurity and data privacy rules for years, long before GDPR arrived.

Although the United Kingdom abides by GDPR rules, the Data Protection Act (DPA) is still effective in the region and has been in place since the 1980s. Moreover, Canada has had data privacy rules known as the Personal Information Protection and Electronic Documents Act (PIPEDA) since 2001.

The Health Insurance Portability and Accountability Act (HIPAA) is most familiar to health care providers. However, anyone who has ever filled out medical paperwork has probably at least come across the name and possesses a basic understanding that HIPAA relates to privacy.

Then, there is a DFARS clause that dictates how government contractors must treat information falling under the controlled unclassified information (CUI) category. The point is that many people looked at GDPR as if it was the first of its kind. But, businesses and individuals that collect data have had to comply with many other frameworks before it.

Also, analysts suggest GDPR is only the tip of the iceberg and similar legislation will likely follow elsewhere, especially in the United States. California passed its data privacy act, which goes into effect in 2020. As such, it’s best for people to stay proactive about compliance rather than playing catch up a few months before such rules are in place.

Some Elements of GDPR Are Too Prescriptive

GDPR was supposed to be a broad framework for the modern age, but some parts of it — namely the 72-hour breach disclosure window — could hurt more than they help. It’s tough to get cybersecurity disclosure rules right, and many critics point out that the way GDPR states that businesses must disclose breaches no more than 72 hours after they happen is not practical.

That’s because it often takes significantly longer than that to investigate the overall severity of an infiltration. If entities race to disclose within that short window, they may provide hastily gathered and inaccurate information that does not give a valid picture of what happened during a breach.

GDPR also makes things complicated by dictating how marketers can connect with customers and the information they can gather. Internet users got bombarded with GDPR compliance emails that asked them to “opt in” to receiving further messages. But if they went into a recipient’s spam folder or the person otherwise didn’t take action with them, communications could not continue.

It’s also likely that most people who chose to continue receiving emails from a company did not fully understand what they were doing. Many just clicked “I agree” without reading the fine print. So, it could be argued that although GDPR intended to give users more control over data collection, it potentially just annoyed them.

GDPR Is New and Imperfect

The pop-up notices on websites and from email lists asking for data collection permissions are likely the biggest changes users have seen since GDPR happened.

And businesses haven’t received fines yet, but they’re left figuring out how to market to people while staying in compliance. The GDPR rules have only recently rolled out, and the novelty of the rules could bring unforeseen problems.

Plus, when entities comply with GDPR or any future privacy laws, they must remember that even the most carefully written legislation has flaws and may make doing business more complex.

Image via Rawpixel

More by Kayla Matthews

Topics of interest

More Related Stories