SoylentNews is people
SoylentNews
Under one in three organisations are fully compliant with the General Data Protection Regulation, despite the privacy legislation coming into force across Europe almost a year and a half ago.
Consultancy firm Capgemini surveyed over 1,000 compliance, privacy and data protection personnel and found that despite three quarters of them having previously been confident about being compliant by the time GDPR came into force in May 2018, that isn't the case in reality and many are still struggling to adhere to the legislation.
Now just 28% of those surveyed believe they're fully GDPR compliant – despite regulators being willing to issue heavy fines.
The UK's Information Commissioner's Office (ICO) has already issued a record fine of £183m to British Airways for what it concludes to be "poor security arrangements", which led to personal data of half a million customers being stolen by hackers in a cyberattack disclosed in September 2018.
"For many organisations, the true size of the GDPR challenge only became apparent as they began the initial projects to identify the applicable data that they held. As a result, only the most focused organisations had completed their GDPR readiness by the time the legislation came into force," Chris Cooper, head of cybersecurity practice at Capgemini, told ZDNet.
[...] The Capgemini survey found that of those organisations that are fully GDPR-compliant, 92% of executives from these firms believe that being so has given them a competitive advantage by enabling them to improve customer trust, customer satisfaction and brand image, with all of this helping to boost revenue.
GDPR-compliant organisations also point to benefits behind the scenes, with around four in five of those surveyed of the opinion that being compliant with data protection regulation has helped improve IT systems and cybersecurity practices throughout the organisation.
"Organisations need to promote a data protection and privacy mindset among employees and integrate advanced technologies to boost data discovery, data management, data quality, cybersecurity, and information security efficiencies," said the report.
[...] "The introduction of GDPR was not a deadline but the start of an ongoing process and there is a lot more work to be done. That said, we will not hesitate to act in the public's best interests when organisations wilfully or negligently break the law," said an ICO statement.
(Score: -1, Offtopic) by Anonymous Coward on Saturday September 28 2019, @08:56AM (1 child)
when he suspended parliament.
How come he's not in jail?
Quit playing tiddly-winks with your damn computers and lock the bastard up!
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @11:35AM
How does one break a law that does not exist at the time of the action?
(Score: 3, Insightful) by J_Darnley on Saturday September 28 2019, @09:20AM (1 child)
You have been spying on people so much you have no idea what data you really need to keep for business purposes?
(Score: 2, Informative) by Anonymous Coward on Saturday September 28 2019, @10:35AM
Also keyservers for GPG are not GDPR compliant,
https://medium.com/@mdrahony/are-sks-keyservers-safe-do-we-need-them-7056b495101c [medium.com]
So not sure about the "business purpose" where it clearly affects non-businesses as well. There is a reason why GDPR has plenty of exceptions in it.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/ [ico.org.uk]
(Score: 4, Interesting) by SemperOSS on Saturday September 28 2019, @09:47AM (11 children)
Let us be quite clear, until a sufficient number of companies are hit sufficiently hard, GDPR is not going to change much. Another problem is that it will not be taken really seriously until some high-up people (owners, CEOs, CTOs, board members, …) are being held personally responsible with large fines and the realistic risk of going to jail.
As a consultant I have time and again pleaded with management and developers to increase the security of their system through the application of methods like firewalls; reverse proxies; diverse systems (e.g. using Linux computers to protect Windows servers or vice versa); data sanitization (e.g. checking that everything that goes into the system conforms to the pre-defined rules for the data — before hitting the actual application server); applying a random parameter to the URLs to prevent session hijacking and transaction playbacks; and, not the least, separating sensitive information and the application with the thinnest possible thread between them (e.g. having the database servers on a separate network from the application servers with just a single connection between the two sets of systems allowing only highly curated data to go between them).
There are obviously a number of other measures to take like at each stage flagging every illegal request coming from each subsystem (including requests for non-existent data, where it is reasonable) as there should be none. None of these measures are particularly difficult or resource demanding, but require discipline and do not directly support the application's primary objective. Many developers agree in principle but decide to develop the application first and then graft on the security afterwards, which often results in a (more or less) working solution that suddenly needs debugging and support that leads to a mañana syndrome: when I have found this bug, I'll come back tomorrow and do the security. Well, mate, it ain't gonna happen on your watch, is it?
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 1, Redundant) by jmichaelhudsondotnet on Saturday September 28 2019, @10:29AM (3 children)
This is awesome. This is why I come here. It is so rare I hear someone actually talking about actual security on the internet anymore.
If you are a woman, I am more than a little turned on.(omitting line about the low probability of this because it is sexist but still) Bare metal holdouts in the cloud age, really gets me going.
I would ask for a job where you work but if you examine my post history, I am a bit of a lightning rod lol. You can either talk publically about politics or be a working sysadmin I think. The cloud will not work well for you if you anger the oligarchs who own them, it logs disobedience.
A really smart person would say, hmm someone who walks around attracting APT's, that sounds like a good way to study APT's. You should see my vpn error log after my last journal post, shit's been wierd.
I hope we can be friends, at any rate.
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @10:38AM (2 children)
Wow.... such sexist statement complaining about sexists.....
(Score: -1, Troll) by Anonymous Coward on Saturday September 28 2019, @10:59AM (1 child)
Loook, he's taking a break from stalking the pedo rings operating out of Victoria's Secret. He needs a little R+R and his self-handjobs aren't cutting it. So he will try pickup lines on random ungendered strangers, and try to subvert his own gooey sexism with self-defecation. It is a worthy effort.
(Score: 2) by jmichaelhudsondotnet on Sunday October 06 2019, @10:24AM
Just when I think no one is watching lol
There are probably more police and military staff who read my things, but must pretend they do not, that I am actually quite famous.
You identify yourselves when you poison pill what I am doing though by saying I am stalking or advocating lighting things on fire, no one would do that except a paid operative.
Come out in the open and make those accusations, little babies.
And be aware that at this point you are helping defend epstein and are yourself in league with child abusers, regardless of what your uniform otherwise states for PR purposes.
My conscious is clear, if you think yours is, that is a malfunction I cannot help you with.
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @11:49AM (6 children)
Neither yourself or EU legislators live in the real world. The problem with compliance is that most businesses are not operating the type of databases the GDPR should be applied to. The sooner legislators and other fantasists realise this, the better.
Here in the real world, we use the phone and scribble down contact names on pieces of paper. Useful contacts may eventually be added to customer and supplier databases. Random email enquires are responded to, the email client stores the data and the archives are retained on the server. That's the way email works, nobody should be sending a fucking email if they can't accept that. Why do you think any of this should be subject to GDPR for the majority of small businesses whose sales are entirely B2B? Why should these rules apply to small businesses outside EU jurisdiction when the customer has entered into communication and trade on a voluntary basis?
(Score: 5, Interesting) by SemperOSS on Saturday September 28 2019, @01:07PM (5 children)
Let me get this clear, you are saying that because we historically have done this wrong, we should keep accepting that it is so? So, by stretching an analogy a bit, back in time lead paint should not be made illegal because so many things were already painted with it and not used in a way that caused poisoning? Just because E-mail servers have not been secured sufficiently historically does not mean that we should accept leaks from them now. The same for E-mail clients that could easily store contacts and retained E-mails in encrypted form.
The matter of jurisdiction is complicated, I agree, but until we find universal laws that all countries of the world agree to, we will have to accept that local legislation apply locally only. Locally also means that if you are trading locally — either through direct presence or virtually on the web — you are bound by the rules.
Stop complaining and get real, most data leaks and GDPR infringements are avoidable by the application of common sense (whenever that is legalised) and good coding practices (whenever those become legal).
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @02:34PM (4 children)
I'll let my plumber know.
A company based in the US is not trading locally when an EU citizen decides to do business with them. The contract of sale should be governed by US law while EU law applies only to the customer. The EU disagree because all businesses would leave the EU if this reality were recognised. That should tell you that the EU are wrong.
Common sense and good coding practices are the polar opposite of government legislation.
(Score: 2) by SemperOSS on Saturday September 28 2019, @07:16PM (3 children)
Great!
Oh wait, you were sarcastic. Drat, I don't understand sarcasm.
I guess your plumber, to the extent she is using third-party programs that are accessible from the internet, should choose suppliers that are GDPR compliant. One would assume that companies like Google and Microsoft are, thus Gmail and Hotmail. The same goes for her accounting software, which she has hopefully updated on a semi-regular basis to ensure it stays compliant with current laws and regulation — not just GDPR. Business correspondence could be handled with Google Docs or Office 365 and should therefore be compliant too. And if her company has less than 250 people, she does not need to keep GDPR records. It is actually not so difficult for small companies to be compliant.
This problem cuts both ways, the US arrested the CEO of BetOnSports, who ran an online gambling website in Costa Rica. It was legal in Costa Rica but the US arrested him because online gambling was not legal in the US. Also, Microsoft is fighting the US government tooth and nail against a subpoena to disclose information stored on a server in Ireland — another example of the US not respecting borders and non-US laws.
I was being sarcastic, please see my signature.
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @09:13PM (1 child)
you're one of those suck asses who says "she" when the odds that his plumber is a woman are microscopic. what a stupid bitch. also, fuck the GDPR and the fucking EU. i'm not putting up banners explaining cookies b/c some sack of shit in government thinks everyone is their slave. google and office 365? yeah, that's how fucking stupid this legislation is. fuck you people.
(Score: 2) by SemperOSS on Saturday September 28 2019, @10:31PM
Warning: Arrogance below!
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 0) by Anonymous Coward on Sunday September 29 2019, @10:46AM
I hope not :-o I'd also hope they aren't storing confidential business data online where it's accessible to big tech.
(Score: 4, Insightful) by Rosco P. Coltrane on Saturday September 28 2019, @11:10AM (3 children)
Databases and information systems have become so huge and so complex that it's essentially impossible to independently verify a company's claim that they are GDPR-compliant.
For instance, how do EU regulators verify that Facebook complies? Are they going to survey all their databases in all their data centers, and check all use cases of the data they hold? I don't think so. As a result, they'll declare compliance based on a couple of Powerpoints provided by FB, essentially swearing the company did this-or-that to comply - which, knowing FB's history or deception, amounts to nothing at all.
As such, the GDPR is unenforceable unless the concern is small enough to be cedibly audited. Therefore, all the GDPR brought is an annoying popup on most websites visited by EU citizens. It most certainly didn't increase my trust in the actors behind the websites I visit.
The EU might as well have dispensed with the effort of coming up with those silly rules and reglations, and used the money to teach their citizens how to avoid being prey to dataraping companies instead...
(Score: 1) by khallow on Saturday September 28 2019, @12:00PM
But perhaps it did for somebody else. I think a lot of the purpose of this sort of regulation is to instill a sense of gullibility in the voting public.
(Score: 5, Informative) by RamiK on Saturday September 28 2019, @12:40PM
GDPR isn't some toothless American professional standard civic court case oriented regulation. It almost entirely shifts the burden of proof to the service providers in a way that whenever a leak occurs, they must provide proof they did nothing wrong or be found non-compliant be default: “A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.” https://www.digitalistmag.com/finance/2018/03/19/your-gdpr-duties-of-proof-and-liability-05961632 [digitalistmag.com]
So, it's not enough for Facebook to simply claim compliance. As soon as a leak occurs, they're guilty unless they themselves prove otherwise. e.g. https://www.digitaltrends.com/social-media/facebook-gdpr-decision/ [digitaltrends.com]
compiling...
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @09:17PM
but it's not about teaching people not to be slaves. it's about propping up and legitimizing the biggest slave traders.
(Score: 3, Insightful) by c0lo on Saturday September 28 2019, @12:08PM
So, one is driven to conclude that the non-compliant businesses are hold back by the risk of improved customer trust, customer satisfaction and brand image.
Look, for example, imagine you were AT&T, where's the fun [soylentnews.org] of not pulling [soylentnews.org] a fast one [soylentnews.org] to your customers [soylentnews.org]? Without it, life would be insufferable bland and dreary.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 3, Interesting) by Pino P on Saturday September 28 2019, @01:06PM (4 children)
From the featured article:
Here's one example: Article 27 [privacy-regulation.eu] requires that if a private sector business outside the EU processes personal data of EU residents in a way that is not "occasional,"* it must hire a representative on EU soil to handle inquiries from data subjects. This service can cost $2,700 per year [verasafe.com], and for a company with less than $2 million per year of worldwide revenue, with the vast majority being domestic and less than $50,000 per year from the EU, this is easily cost-prohibitive. Nor does the regulation define "occasional," and some analysts speculate** that processing that happens for every order that an EU customer places would not qualify as "occasional." So until such time as courts define "occasional," some small businesses outside the EU have chosen to refuse service to the EU.
* For processing to be exempt from article 27, it must satisfy all three of these requirements: 1. "occasional"; 2. does not include the subject's membership in protected classes or criminal convictions; 3. does not harm the subject's legal rights.
** Citations available on request.
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @02:43PM (1 child)
How would EU law be enforced against an American entity?
(Score: 2) by Pino P on Saturday September 28 2019, @09:36PM
If a foreign merchant refuses to pay fines assessed by EU member states' data protection departments, EU member states' customs departments can prevent parcels from reaching buyers in the EU. Or EU member states' financial regulators can pressure payment processors that operate in the EU not to let foreign merchants without a designated representative accept payments from cardholders in the EU.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 28 2019, @02:45PM
All businesses without a legal presence in the EU should, on principle, refuse to trade with the EU. Why comply with the GDPR or collect their VAT without sending them the bill for implementing and running that system?
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @09:21PM
yeah, that stupid shit is not happening and i'm not going through backups to extract and delete jackasses' email addresses either.
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @07:41PM
Initially read the headline as "GDPR: Only Three Businesses are Compliant - Here's What's Holding Them Back?"