Dark Reading: GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike – and what kind of organizations will be first to feel the sting of the EU privacy law.

Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union’s General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?

There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states – similar to the US system. Different authorities have different priorities and different “appetites” for litigation or punitive action, he says.

They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesn’t think there has been a connection between the size of authorities’ resources and the size of their appetities – some of the smaller ones going after the biggest companies in the past – Dennedy maintains it could affect the number of organizations they investigate.

GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.

The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.

If you’ve started your compliance process but aren’t finished, you might not need to lose sleep. Yet.

“I don’t think regulators are necessarily trying to play ‘gotcha,’” says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that don’t have every control for every article in place yet, he says they’re looking for “willful neglect” and “blatant disregard” for the law and its intent. Read more on: https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898?