Cybersecurity Disclosures Post-GDPR: Have We Really Accomplished Anything?

Before the arrival of the General Data Protection Regulation (GDPR), analysts hailed it as a tremendous achievement in increased measures and discussed at length how companies that found themselves outside the bounds of the GDPR were at risk of receiving significant fines. privacy Then, businesses of all sizes — especially small ones — scrambled to get compliant before the May 2018 deadline arrived, with many admitting they still weren’t sure of the specifics surrounding GDPR. Now, approximately five months later, how much has the GDPR changed things? Regulatory Organizations Have Yet to Issue Fines Feedback from several organizations in European Union countries that issue fines for not complying with GDPR indicates they haven’t given those penalties yet. Even once they do, the process is not straightforward or longer. The judges ruling on the cases won’t have an abundance of case law to rely on, after all. and could take months A report published a few months before GDPR took effect showed most small businesses were not yet complying with the regulations, and only . There was a tremendous importance placed on being ready before the deadline. eight percent were fully compliant But, given the fact that no fines have been issued yet, some entities might now wonder why there was such fuss. GDPR Is Not the Lone Ruling of Its Kind The amount of fanfare associated with GDPR suggested many who advocated for it felt the results would be groundbreaking. However, people have been preparing for new and data privacy rules for years, long before GDPR arrived. cybersecurity Although the United Kingdom abides by GDPR rules, the Data Protection Act (DPA) is still effective in the region and has been in place since the 1980s. Moreover, Canada has had data privacy rules known as the Personal Information Protection and Electronic Documents Act (PIPEDA) since 2001. The Health Insurance Portability and Accountability Act (HIPAA) is most familiar to health care providers. However, anyone who has ever filled out medical paperwork has probably at least come across the name and possesses a basic understanding that HIPAA relates to privacy. Then, there is a DFARS clause government contractors must treat information falling under the controlled unclassified information (CUI) category. The point is that many people looked at GDPR as if it was the first of its kind. But, businesses and individuals that collect data have had to comply with many other frameworks before it. that dictates how Also, analysts suggest GDPR is only the tip of the iceberg and elsewhere, especially in the United States. California passed its data privacy act, which goes into effect in 2020. As such, it’s best for people to stay proactive about compliance rather than playing catch up a few months before such rules are in place. similar legislation will likely follow Some Elements of GDPR Are Too Prescriptive GDPR was supposed to be a broad framework for the modern age, but some parts of it — namely the 72-hour breach disclosure window — could hurt more than they help. It’s tough to , and many critics point out that the way GDPR states that businesses must disclose breaches no more than 72 hours after they happen is not practical. get cybersecurity disclosure rules right That’s because it often takes significantly longer than that to investigate the overall severity of an infiltration. If entities race to disclose within that short window, they may provide hastily gathered and inaccurate information that does not give a valid picture of what happened during a breach. GDPR by dictating how marketers can connect with customers and the information they can gather. Internet users got that asked them to “opt in” to receiving further messages. But if they went into a recipient’s spam folder or the person otherwise didn’t take action with them, communications could not continue. also makes things complicated bombarded with GDPR compliance emails It’s also likely that most people who chose to continue receiving emails from a company did not fully understand what they were doing. Many just clicked “I agree” without reading the fine print. So, it could be argued that although GDPR intended to give users more control over data collection, it potentially just annoyed them. GDPR Is New and Imperfect The pop-up notices on websites and from email lists asking for data collection permissions are likely the biggest changes users have seen since GDPR happened. And businesses haven’t received fines yet, but they’re left figuring out how to market to people while staying in compliance. The GDPR rules have only recently rolled out, and the novelty of the rules could bring unforeseen problems. Plus, when entities comply with GDPR or any future privacy laws, they must remember that even the most carefully written legislation has flaws and may make doing business more complex. Image via Rawpixel