GDPR: First Month Recap
About GDPR
The wave of receiving dozens of policy change emails is finally over. As soon as GDPR came into effect on May 25th 2018, the internet instantly transformed.
The rules of this highly-anticipated regulation caused stress and attention to organizations large and small. The internet users who have noticed the biggest difference are citizens in the European Union. From instantly losing access to certain websites, to having significantly faster loading times on others, this is truly an impactful change.
Let’s recap what we have seen in the first month of a world with GDPR.
Fewer Services Available for EU Visitors
Multiple sites have blocked access to European users until they iron out their GDPR compliance, if that is even in their plans. A huge swath of these are news sites including the LA Times and Chicago Tribune who have both committed to changing this limited access in the future.
Other sites remain available but ask for consent for user data. NPR allows you to decline their new data protection rules by offering an option to browse the plain-text version of their website instead. Pinterest-owned Instapaper and email unsubscribing service Unroll.me are among the list of web services that have halted availability to EU residents indefinitely.
Not all websites and services have properly prepared for GDPR yet. Once it’s clear how GDPR will be enforced, we will see many organizations go through safety measures until they are comfortable with the regulation. Meanwhile, Twitter is blocking any users that it believes were under 13 years old when they signed up even if they are older than that now, in an effort to be compliant.
Multiple Lawsuits Regarding GDPR
A longtime critic of Facebook and Google’s data collection practices filed lawsuits against both companies within a few hours of GDPR coming into effect. Google received separate complaints for Gmail, Youtube, and its Search from a different group in France. Apple, Amazon, and LinkedIn are also facing lawsuits within the first week from the same French digital rights group.
To avoid lawsuits, companies are requiring visitors to consent to have their data exploited in ways that do not align with the “use data for core service delivery only” requirement within GDPR.
ICANN filed a lawsuit because one of their main European DNS registrars, EPAG, decided to no longer collect information in fear of getting fined due to GDPR requirements. The contract between ICANN and EPAG requires them to collect this information and pass it along. This suit will hopefully clear up this grey area within GDPR and how data is collected and shared between organizations.
GDPR and Blockchain Clash on a Fundamental Level
Article 17 of GDPR mandates that a data subject should have the “Right to be forgotten.” Basically, it says that data subjects have the right to erase their personal data without delay. This is designed for scenarios where data is centrally stored and processed.
A fundamental part of blockchains is decentralized data storage that is tamper-proof. This makes GDPR and blockchain incompatible at first glance. GDPR and blockchains aim to do the same thing – give control back to individuals, but immutability and the right of erasure cannot co-exist as things stand today.
Although GDPR is widely agreed upon to be a step in the right direction, is it worth the risk of harming innovative technology?
California Comes Next
California passed a law very similar to GDPR about one month after GDPR was released. This new law grants consumers the right to know what information companies are collecting about them and how it is used. It also gives consumers the right to request companies delete their data and not share it with anybody. Businesses must give consumers the same quality of service even if they opt-out of allowing their data to be shared. It will be easier for consumers to sue companies and it will be harder to share or sell data on anybody under the age of 16. This legislation went into effect in January 2020 and gave state attorney generals the authority to fine companies that breach the regulation.
Summary
Organizations all over the world prepared heavily for GDPR compliance. Many compare the entire process to preparing for Y2K. Many organizations are still extra cautious – probably waiting to see a few examples of non-compliance. The whole world is waiting to see what GDPR enforcement looks like with its potentially detrimental fines.
With a handful of lawsuits and GDPR complaints already filed against them, tech giants are already at-bat to defend themselves from multi-million dollar fines. California is following suit and brought a bunch of the same mandates as GDPR to the United States that won’t take effect until 2020.
How Sedara Can Help You
Sedara has an experienced team that can enable you to take your compliance to the next level. Let’s guide your organization to GDPR Compliance.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.