Who will be the first ‘victim’ of GDPR? Experts weigh in.
On 25 May 2018, people across Europe regained control of how and where their personal data is used — or at least, they should have done.
The newly introduced General Data Protection Regulation (GDPR) framework sets out rules for how organizations collect, use and store personal data of Europeans, and threatens heavy fines for those who do not comply. It also requires organizations to announce any data breach a maximum of 72 hours after it is discovered.
Everything from social media companies, banks, retailers, and governments are affected by this new legislation.
The only issue? “It is not possible to be fully compliant with GDPR,” Dai Davis, technology lawyer and Partner at Percy Crow Davis & Co, told a panel at IP Expo Manchester 2018 in April.
Not only is the text in the regulation a little confusing, but data breaches are somewhat of an unfortunate reality in the tech field — whether that is student data, or Yahoo’s spectacular admission that over 500 million accounts had been compromised in a massive scale hack in 2014. So, it would stand to reason that it is only a matter of time before we see the first fine being issued.
But, who will be the first ‘victim’ of the GDPR? I asked tech experts from different backgrounds and disciplines for their predictions.
The Internet’s Phonebook
“Although not strictly a “who” but the investigators that use it are the “who” — I think the first victim of GDPR will be WHOIS, because from 25th May, personal details of the registrants of domain names will no longer be available to security researches tracking APT campaigns and cyber criminals. In malicious registrations the personal details are fake — so not protected by GDPR, but a good indicator that links campaigns in the criminal side of the Interwebs.” — James Mckinlay, Information Security Officer at Barbican Insurance Group.
WHOIS is the internet registration domain directory, like a phonebook of websites. ICANN, the non-profit that assigns a large portion of domain names on the internet, requires that specific contact information is collected, like names and telephone numbers. The information is helpful to law enforcement during cyber-threat investigations and considered a crucial tool when it comes to protecting intellectual property rights. The body has since launched a lawsuit to clarify the future of WHOIS.
The Big Tech Players
“I’m guessing some really big tech company — Facebook or Google, one of those — because they handle a really huge amount of user data and there are a lot of people interested in going after them, I guess.” — Martin Henk, co-founder and VP of Product, Pipedrive
It is true that Google and Facebook have been the focus of EU courts for antitrust and tax. Consumers are also starting to ask questions about how their data is used and collected following Facebook’s Cambridge Analytica scandal. Will this trend continue in the new GDPR era?
Smaller Players
“There is defintiely decentralized protocols (that) cannot implement GDPR controls oftentimes. But, because they are decentralized and there is no single party in control, there is no-one really being a ‘victim’ because there is no-one to go after if the decentralized system is not compliant. There is definitely people that are not compliant that are centralized parties that might be ‘victims’. Maybe especially companies that don’t have enough fire power to become compliant; some smaller companies that were not able to implement certain GDPR controls, they will probably be the victims. At the same time, maybe it is reasonable for them to implement those controls. Large companies it is more complex for them to introduce the system, but at least they have a bunch of lawyers and developers that can figure out how to get it done, while a smaller venture might need to spend a lot of time it can introduce a lot of overhead in their functioning in order to figure out exactly what GDPR is and how they can implement it for their solution.” — Peter Czaban, Executive Director of the Web3 Foundation.
Blockchain is lauded as a secure and trusted system. Will the implementation if GDPR help drive it as the infrastructure of choice of the future?
New and Young Startups
“I think the first ‘victims’ of GDPR will be young startups that are doing really interesting things with people’s data but expand globally — perhaps faster than they were anticipating — and then fall prey to some of the GDPR regulations that are newly being enforced, without really having spent the time and effort on legal resources to do analysis jurisdiction by jurisdiction and make sure that they are playing it safe everywhere. So I think there will end up being someone who is doing something really cool, but could be categorized as invasive or in some cases even predatory, and they get caught in that trap.” — Andy Bromberg, President and co-Founder of CoinList.
Startups are seen to be more vulnerable to data breaches than established companies, so will GDPR further impact the ‘move fast and break things’ startup culture?
[[If you have any comments, or thoughts of your own and want to add your predictions to this list, please feel free to message me!]]
