GDPR is a great thing hampered by one bad idea

The past week was important for you and your personal information, whether or not you live in the EU.

GDPR, the General Data Protection Regulation that sets guidelines about how personal information of EU citizens is collected and processed, is now official. It's a great idea — uniform rules about how your information is gathered, how it's stored, and how you can take it back, are long overdue. There has been (and will continue to be) plenty of discussion over what's good, bad and ugly about GDPR, but most people who work in information security agree that the goals are well-intentioned and will provide the kind of protections we all need in the 21st century.

A bunch of popular websites just aren't available to European visitors because you aren't GDPR-compliant.

The individual articles of GDPR, however, aren't so universally praised. Having gone into effect Friday, May 25, we already see fallout: the New York Daily News, Chicago Tribune, LA Times and other high-profile websites are now unavailable in countries covered under GDPR regulations because they weren't ready for the new rules. Many other websites and online services have bombarded users with new terms to agree to, and complaints have already been filed against notable tech giants Google and Facebook because they do not offer free services without allowing users to opt out of data collection.

More: Google's making it easier to understand and manage user data it collects{.cta .large}

Issues like these aren't surprising. Neither is the sentiment that cloud-based services will lose revenue and be forced to raise prices as a result of GDPR, which half the attendees of Infosecurity Europe 2018 think will soon be happening. They also feel that GDPR will stifle innovation as small organizations will not be able to afford the necessary infrastructure to be compliant. This is good discussion by the people who need to be discussing it. Better privacy is worth the hours of back-and-forth needed to get it right.

But there's one part of GDPR that I think is going to do more harm than good — Article 33's 72-hour reporting rule. You can read the full text here, but the gist of it is that a company which keeps personal identification of EU citizens is fully responsible for any breach of security, no matter the reason, and must provide full disclosure to a supervisory committee within 72 hours of a breach. There is nothing great about this rule, but two parts are going to lead to service providers covering up data breaches rather than responsibly reporting them.

The first is the supervisory committee. Different countries have different ways of governing their citizens, but one thing they all have in common is preferential treatment when it comes to creating and staffing any official committee. A friend of a friend or that third cousin who can't stop asking for a handout are prime candidates for any committee seat, and when the primary goal is protecting user data, only the most qualified individuals should be considered. Let's hope that's exactly whats done here and regulations can be adapted and enforced by people who have our best interests at heart and are qualified.

Small companies without the resources necessary to do a full breach investigation may choose to cover them up.

A bigger issue is the forced 72-hour reporting. Even a fully staffed Fortune 500 organization is not going to know enough about a data breach to start filing reports with a government agency. Given such a short time, expect little more than a company's information security officer saying there was a breach and we're not yet sure of any details. That's little more than a waste of time for everyone involved, and I'd rather that time be spent trying to find out the why, the how, the when, and the who surrounding any type of data breach.

A smaller company who may already be struggling to meet GDPR compliance will be tempted to investigate if it can contain the breach and mitigate the damages on its own without any reports. When you're under pressure and understaffed, a cover-up can sound like the right option.

Clearly, it never is. But companies great and small have been known to choose the wrong option time and time again when it comes down to the wire. Any regulation designed to protect users from companies making poor decisions is better without a rule that may push them to do just that.

Responsible and prompt reporting of a data heist is a must. Forcing companies that harvest and hold our data to do the right thing isn't of much use without it. Creating the right oversight committee filled with the right people to revise how break-ins are treated — or even offering assistance when they happen — would go a long way to making GDPR a template for the rest of the world to follow.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Good article man, comments should be fun once more of America wakes up... Just to let you all know, I'm updating my privacy policy and user agreement to make the ways in which I collect and use your datamore transparent... For more information and to see my updated terms and conditions, go here:
  • GDPR isn't a great thing for me, I have to report EVERY piece of information that relates to work that I take home. Not a bad thing I hear you say, not so fun when you have a work laptop so you are able to work from home 😐😡
  • If that's how your employer has interpreted GDPR then they are doing it wrong.
  • That's only personal data we have to report on anything else isn't important but even so I have IP Addresses to access remote systems, when I look at it there might be more than that. I'm not sure why we need GDPR in the UK as we already have the DPA.
  • I think the changes in the GDPR are almost entirely for the good. Just the raise in fines from £500,000 to £20m or 4% of turnover is enough to justify new regs. At least now medium and large firms can be suitably punished for the worst breaches.
    The DPA was very good but the world moves on; no where more than in data collection and processing.
  • The GDPR is more comprehensive and modern than the DPA. Also don't forget that it's not just the UK, most other EU countries already have their own equivalents in place, but like the DPA most of them were old and stale. Comments like this always confuse me... Why do we need light bulbs when we already have candles? Why do we need cars when we already have horse drawn carts?
  • Best thing I have read written by someone who is, mostly, not subject to the regs. Reporting breaches is the job of a data protection officer (DPO) who might be an employee but who certainly won't have the job of containing the breach as they have to be arm's length from the management of data.
    Engineers can get on with fixing the problem while the DPO can deal with reporting and dealing with the regulator.
    DPOs have a protected role and cannot be disciplined for doing their job and so will have no interest in covering up breaches. Good DPOs will be expecting breaches and be suspicious if they don't occur. I wish I didn't know all this.. 🤪
  • It's also worth noting that this is actually all for the benefit of the data subject, not just to make work. If your own critical personal data, password, ID or other key info has been breached, you don't want the loser of it to wait a month like the hopeless new Australian scheme allows, you to know as quickly as possible. 72 hours in the GDPR seems like a good compromise between the 72 milliseconds it takes to move data somewhere, and the 72 months some big custodians seem to like to take before they tell anyone.
  • Then surely the DPO should be asking what data I have and how it's used, I shouldn't have to tell the company I work for what data I have and how I use it?
  • While I agree that not much may be known within 72 hour this forces companies like Facebook and others to cough up data breaches way faster. Also it's their own doing. Had companies been more forthcoming and open what they do with data and breaches they might have avoided some of this regulation. Exactly how positive/negative this is for end users and innovation remains to be seen, but it feels like a necessary step for consumers.
  • I think we will find the GDPR, while good intentioned, will be a mess of issues, needless lawsuits, mis-understandings and a general quagmire.
  • That's my take on it as well, some US websites have already had access blocked in the EU as they don't comply with GDPR rules and I suspect a lot more will be blocked as well. Seems like it's just another attempt by the EU to control internet access under the guise of "Data Protection".
  • Yes, it will be a mess, and lawsuits will follow. But after the dust settles, EU citizens will be protected from unfair practices like never before.
    Also, keep in mind, lawsuits are not as needless as you think. There are lacunae in a lot of regulations as it's impossible to cover everything, and the Court (CJEU) gets to fill them once they become apparent. The only problem is, first GDPR cases will start being tried at CJEU in a couple years.
  • Relying on the government to keep your data safe through legislation is a fail for everyone.
  • The legislation makes clear how data should be collected, processed and retained by firms.
    If you don't like the rules don't play the game.
    I don't know what you propose as an alternative but if it involves benevolent capitalism then I fear it will lead to inferior outcomes from the owners of the data, us.
  • I honestly don't know an alternative, BUT relying on government is just as bad as crony capitalism. What we have in the U.S.
  • Then we end up with statute being the worst kind of regulation apart from all the others. At least we can vote our governments out.. no one gets to vote for the CTO of a private equity owned data harvester with loose morals.
  • On flip side you don't have to use what they are getting your data from. I know it's a dam of you do dam of you don't kind of thing. And like I said I honestly don't know what a good alternative is.
  • And relying on companies like experian and yahoo has served the end users well? Really?
  • I'm not arguing that they have.
    But looks like you don't understand my point have a nice weekend.
  • The 72 hours isn't that bad. That rule already existed in the Netherlands for the last few years. I don't recognize the potential problems and we reported several data breaches (2000 employees, health care organization with huge amounts of personal data).
  • There's a good article in The Telegraph that highlights why I don't like GDPR, What do you think will happen with smart home devices where the manufacturer doesn't comply with the GDPR, if you guessed that they stop working then you would be absolutely right. GDPR is going to and already is causing more problems than just a few blocked websites, it might be more up to date and modern than the DPA but it's not optional and there is no grace period for companies in other countries to make themselves compliant. Moreover if Google don't comply with GDPR then you can all wave goodbye to Google Home, Android Smartphones, Nest Thermostats, Chromebooks basically anything by Google. Yes you can switch out Google for any company and the same thing would apply, nothing from that company would work in the EU.
  • I'm sorry, but Yeelight’s response is total crap. They can continue doing business in the EU by becoming GDPR-compliant. If they cannot become GDPR-compliant there's something wrong with their business model, and I wouldn't want any part of doing business with them. As a Canadian, I will pay close attention to companies that chose the Yeelight model, and opt not to do business with them. Google and it's subsidiaries will become compliant, if they aren't already (I believe they mostly are - they're making users agree to a new privacy policy to continue using their services is all). Your suggestion that Alphabet would drop out of the EU is laughable. As for there being no grace period, companies had TWO YEARS to become GDPR-compliant. I'm amused (but not surprised) that so many failed to get ready.