Litigate the right to privacy of data

It was not more than a few hours after midnight on May 24/25 so that all talks, written badyzes and official notifications to companies about the General Regulation of Data Protection of the European Union become an outbreak of litigation about how organizations handle or not handle the privacy of data.

The first day of the application of GDPR, Facebook, Instagram, WhatsApp and Google were slapped by a lawsuit accusing them of unfairly coercing users to share their personal data. The complaints, which could result in fines of up to $ 9.3 billion if raised, were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies' data collection practices.

Schrems runs a privacy advocacy group based in Austria. (none of your business). Schrems has been fighting Facebook in court for several years. Their lawsuit filed with the EU states that the four companies force users to adopt a "take it or leave it" approach to data privacy, basically requiring users to submit to intrusive service conditions to use the networks social issues.

The GDPR is the most contested law in the history of the EU, the product of years of intense negotiation and thousands of proposed amendments, despite the fact that its components have been present in European legislation for decades.

GDPR: The most radical change for data protection in 20 years

As reported by the Vice President of Data IO Peter Smails eWEEK : "The GDPR is the most radical in data protection over the last 20 years Under the new set of regulations, both US and European companies must demonstrate compliance when it comes to managing, storing and sharing data, no matter how mbadive the data is. security, companies must report data breaches within 72 hours after their knowledge of them.

"One of the biggest problems for next year will be Article 17 of GDPR, which allows you to forget the user's right , which will increase the demand for storage and data management solutions that take data into account. Whether it is specific backup and recovery to protect against ransomware or an intelligent data movement based on queries to support test / development initiatives, CI / CD or GDPR, organizations will need data management solutions that are aware of the data and allow them to protect, mobilize and monetize their data across any cloud boundary. "

GDPR requires clear consent and justification for any personal information collected from users to review their privacy policies and collection practices You may have already seen a lot of emails in this regard, however, there is still a lot of uncertainty about how regulators will handle the requirements, and many companies are not yet ready for the application.

Google , Facebook, Yahoo, LinkedIn and many others have published new policies and products to comply However, Schrems' complaints argue that these policies do not go far enough. In particular, the complaint indicates the way in which companies obtain consent for privacy policies, requesting users to mark a box to access the services. It is a widespread practice for online services, but complaints argue that it forces users to an all-or-nothing choice, a violation of the provisions of the GDPR around particular consent.

Anticipated demands become specific [19659002] The lawsuits are divided into specific products, with one filed against Facebook and two against its subsidiaries of Instagram and WhatsApp. A fourth lawsuit was filed against Google's Android operating system.

Naturally, both Facebook and Google have disputed the charges, claiming that their current current policies are adequate to comply with the requirements of GDPR. "We build privacy and security in our products from the earliest stages and we are committed to comply with the EU GDPR," Google said in a press release.

"We have prepared for the last 18 months to make sure we meet the requirements of the GDPR," Facebook said in its own press release.

This is only the first day of the new era of data privacy. This theme will appear in the news for months and years in the future when companies modify their policies and other consumer complaints come to light.

What people say

eWEEK picked up a series of comments and perspectives from various IT opinion leaders. Here are some of them.

Karen Schuler, BDO's national leader of information governance and information practices:

"We sincerely believe that this is only the spearhead and that the broader changes in the privacy of the data is to come.As Canada enacted its laws last year, China implemented a new cybersecurity law, the Cayman Islands will expand GDPR even though they are part of the United Kingdom, and the Salesforce CEO stated in a recent interview that believes that the US needs to adopt its own GDPR, this is just the beginning.

"Day 1 of GDPR is here and there is still a lot of unknown. The request for evaluations continues, the need for implementation is just beginning for many companies, and I think we are still about to see the worst of compliance actions and lawsuits. Companies that are beginning to implement changes should do so diligently and not rush to improve their business practices. In other words, adopt a systematic approach to implement new practices for GDPR instead of being reactive.

"This reminds me of the early days of electronic discovery and the defense capability around data collection." For many years, courts did not require companies to understand what sources of data they should collect, review and produce. However, as time went on, the courts pointed out that it is necessary to fix your house if you are going to respond to a discovery request. "

Dana Simberkoff, Director of Risk, Privacy and Information Security, AvePoint:

Q: How do cybercriminals use GDPR to meet their needs? "There are several ways in which cybercriminals can take advantage of GDPR to meet their needs An obvious area of ​​exploitation is the Data Subject Access Request, which gives a person the right to request all the information that an organization has It is crucial that companies, first of all, confirm the identity of the person making the request, or that this aspect of GDPR could present a clear risk of identity theft.
"Another potential loophole that cybercriminals can Leveraging is the creation of the data flow record and the aspect of the GDPR data mapping, which documents all sensitive personal information (PII) data flows throughout the organization. If not properly protected, these data maps could create a potential vulnerability for businesses, so, ideally, this type of data should be maintained in a local system.

"Companies that adopt GDPR as an opportunity to digitally transform their data and their corporate culture will be the most successful." Consumer confidence is hard to win and easy to lose, so when done well, best practices Privacy is a competitive advantage, and companies that adopt GDPR will definitely see it come to light. "

Patrick McGrath, Director of Marketing Solutions, Commvault:

Are the demands of Facebook and Google fair or not? " Not expected, there is likely to be an influx of" right to be forgotten "and other similar requests made at the beginning of the GDPR timeline to try to make some noise about it. these and other similar demands are handled to establish a precedent, but I do not expect much (in my opinion) to happen at this stage.

"The GDPR legislation was finalized two years ago with a very clear expectation of the effective date. , giving the organizations a considerable time to prepare for the fulfillment of the GDPR. Forrester estimates that 80 percent of organizations still do not comply and many organizations have adopted a "best efforts" approach in the hope that they will reduce their exposure to regulatory measures. US companies have clearly lagged behind in their efforts, with a notable lack of action taken against companies like Equifax with flagrant infractions. "

Kathie Miley, COO, Cybrary:

" Although I have no knowledge of the compliance status of any of the specific companies belonging to GDPR, I can say that the world had 2 years to prepare for their companies, suppliers and processes for GDPR. However, despite 2 full years, there are still absurd numbers of companies that waited too long, and now it's too late. I am sure that we are going to hear many excuses to move forward, but there is simply no excuse to save them.

"Cybercriminals are already looking for evidence of GDPR noncompliance, once they have enough to establish a substantial fine (up to 4 percent of revenues) they will use the information to extort the companies in the form of past silence money It's already happening, it's only a matter of time before someone makes it public.

"I understand the importance of regulation and I completely agree with your intention. I wish that the USA UU Adopt similar regulations to protect the personal data of our citizens. Unfortunately, GDPR has placed a huge burden not only on the Facebook and Google of the world, but also on [also] very small companies that can not afford the costs of managing the complexity of GDPR. The reality is that this regulation will end with the bankruptcy of companies. "

Matt Bertenthal, Medallia's chief privacy advisor:

" Companies have done a lot of work to prepare for today, but the work does not end. Now is a good time to establish good processes to meet your ongoing obligation to ensure that GDPR processes work well.

"Test your data export and deletion process GDPR allows people in the EU to request copies of all personal data they have on them and request that they be deleted." When your company starts receiving requests to access and delete data, use these first requests as a learning process, do everyone involved in the process know what to do, what is working well and what is not, start to track the types of data deletion requests you are receiving. Once you discover that a particular part of your marketing approach is causing more removal requests and should be reviewed more comprehensively, you may need to design new features of automated process products to handle the volume and types of requests you will receive. [19659002] "Test your response plan to data breach. GDPR requires data controllers to report certain types of data breaches to regulators within 72 hours, and data processors have to notify controllers of any non-compliance "without undue delay." Privacy lawyers and compliance professionals know how important it is to respond immediately in a data security context, but do they know exactly what people do in their response plan to the infringement? And are they ready for the urgency that would be presented by a real incident? Do not just ask these questions, try them. Run tabletop exercises with cross functions, so that your team is really ready.

"Evaluate your training programs Many companies have just made significant efforts to train teams on GDPR compliance." Everyone in your organization knows how to handle data across the company to comply with GDPR. What worked, what did not? Plan now what you will do differently in your next round of GDPR and privacy training. "

Ian Eyberg, founder of NanoVMs:

" I thought this was completely There is definitely a reaction against the "great technology." Personally I am divided since I have always been an advocate of privacy, but at the same time I enjoy certain comforts that exist with personal data. a great opportunity for the right entrepreneurs to find new ways to deal with these problems.

"I would be surprised if we do not see a lot of scams that kidnap companies ies for fees to ensure they meet.

"It is one thing to be tracked at the airport, which our constitution explicitly prohibits, but at the same time to realize that Google knows every step it has taken and feels aggrieved by one and not outraged by the other."

"I think the industry should find ways to deal with privacy issues before governments become involved."

Brian Vecci, Technical Evangelist, Varonis:

"Not surprisingly, the big ones Technology companies are first to face problems now that the GDPR is in effect. They have the most information about most people and their business depends on it; they will always be the first affected and possibly the most affected. What is interesting is that they are already being accused of ignoring the new regulation when it seems clear to all that they pay attention that, although it is true that they do not comply, ignore the last thing that the big technology companies have been doing. But that is not necessarily true for all the other companies that collect and use consumer data and are now subject to the GDPR.

"As a society, we drastically underestimate the inherent value of our own personal data and what it reveals about us over months and years." The GDPR is not going to kill their business model, but it will force them to finally deal with our personal data as something valuable not only for them but also for us.

"Many organizations have had to wait … and see the GDPR approach, betting that they can fly under the radar for a while and save some money by not having to change much about how they secure this type of data and keep it private (or do not). That could end up being more costly in the long term, since although many companies still do not fully comply, those that have taken clear measures will probably see much milder sanctions for violations. Those who are really ignoring the GDPR and have done nothing are probably the hardest hit. "

Brian NeSmith, CEO and co-founder of Arctic Wolf Networks:
" Privacy is on the way to becoming a fundamental right in the USA UU., And as such, parts of GDPR will undoubtedly become policy in the US. UU in the next years. The process may take longer than we would like, but with each major breach, the process will be accelerated.

"For many years, online data collection ignored the radar of regulators and most consumers, but the tide has changed as years of cases like the Equifax violation and the Cambridge Analytica scandal They have accumulated and raised awareness about the economic, political and social ravages that leaked customer data can create.

"People now believe that everyone's right to life, freedom, the pursuit of happiness … and data privacy. "


Source link