Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

The EU GDPR is now in effect. What has happened so far?

Written by Joseph Carson

June 26th, 2018

Finally, the time has come. May 25th 2018 is now in the past, and the EU GDPR has come into effect after a two-year transition period. The earth is still rotating, the internet still kind of works.

So what has happened, and have any lessons been learned yet?

EU GDPR and Data Privacy Email SPAM MONTH

Well firstly, we all lived through “spam month” as EU GDPR and Privacy updates poured into our inboxes. Almost every company waited until weeks or days before GDPR went into effect to notify all the individuals whose data they collect and process. This meant we received hundreds of emails from companies whose services we frequently use—and just as many from companies we didn’t even know about! Were you taken by surprise when you realized how many companies you rarely associate with store your personal information?

Facebook and Google became to first victims of a massive lawsuit, potentially worth $8.8 billion, on the very first day

Some got it right, and others got it wrong. Badly wrong

It became apparent that many companies did a poor job of obtaining and maintaining our consent in the first place. We know this because when they updated their privacy policies to cover GDPR they also asked our permission to continue contact. Regardless, I’ve seen companies who have done it the right way—providing clear information about what data they collect, how it will be used, and requiring an explicit opt-in to continue the relationship. But I’ve also seen companies doing it badly, meaning if they do not hear from you within a specific time frame they will assume you’ve opted in. Important lessons can be learned from pre-GDPR consent policies and it will be interesting to see how these companies have interpreted GDPR.

Wow, my inbox is now free of SPAM and my Delete Button is on vacation

Up until May 25th 2018 my inbox was getting hit hard with the policy updates and messages begging me to continue receiving emails and services. I have been very selective about which companies received my opt-in to continue receiving emails. Some give you no choice—you had to opt in to continue using the services. And then May 26th 2018 arrived and my inbox is almost SPAM free! Even cyber criminals appear to be compliant with consent 🙂

And my delete button has surely had a break from having to delete all those useless emails.

GPDR claims it first victims with a $8.8 Billion law suit

As May 26th arrived we started to see some of the impact from GDPR. Facebook and Google became to first victims of a massive lawsuit, potentially worth $8.8 billion, on the very first day. It was filed by Max Schrems, an Austrian Data Privacy activist, who has been successful in previous years and is a critic of companies who collect and abuse surveillance of personal data on a massive scale.  Both Facebook and Google updated their policies, but Max Schrems claims those do not go far enough to protect the privacy of the millions of EU Citizens they serve.  During the recent Cambridge Analytica saga Mark Zuckerberg’s notes (which got leaked during the hearing with Congress) made it obvious that Facebook had not done enough to comply with GDPR. So the question is, what happens next?

Some companies shut down and closed their doors to the EU          

Yes, some companies decided it was not possible to comply so they shut down their services to EU Citizens. Well, not exactly. They just blocked EU regions which does not necessarily mean they won’t gather EU citizens personal data, but instead will limit the amount of Personal Information they gather.  The Washington Post added a fee for EU Citizens for an advertisement-free service (to avoid having their data tracked) and several other companies removed access completely.

GDPR makes it difficult to catch cyber criminals!

ICANN (The Internet Corporation for Assigned Names and Numbers) is the organization responsible maintaining databases and namespaces of the internet and operates the Internet Protocol numbers and DNS (Domain Name System).  One of the major tools used for tracking illegal website operators was ICANN’s Whois Lookup. It provided contact details and the email address of any person who registered a domain name, but it did not comply with the EU GDPR regulation. So ICANN was forced to remove this capability meaning that law enforcement, cyber security researchers and investigators now have a more difficult challenge in identifying owners of illegal websites that are carrying out malicious activities.  ICANN did request an exclusion or exemption, though they failed, so the impact has been felt on day 1 of GDPR.

Here’s one of my favorite examples on the impact of GDPR:

Student talking to teacher: Before I write my name on the board I'll need to know how you're planning to use that data.

The Summary, both good and bad

While GDPR has introduced a multitude of challenges for companies when it comes to providing services to EU Citizens and collecting personal information, it has also made those companies examine the data they are collecting and consider security.  So yes, GDPR has made a positive impact, and while it is not perfect it has forced companies to do more to protect the personal data they have been entrusted with.  Some of these challenges negatively affect law enforcement and cyber security researchers trying to make the internet a safer place, however they can be overcome while keeping GDPR in place and successful.  In the end it is up to us to make the world and the internet a safer, secure place where we do not get abused.


Like this post?

Get our top blog posts delivered to your inbox once a month.