cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

GDPR must be working penalties are being awarded.

Hi All

 

Latest news on state of GDPR penalties:  https://securityintelligence.com/news/weekly-security-news-roundup-gdpr-fines-imposed-total-e114m-th...

 

Regards

 

Caute_cautim

7 Replies
emb021
Advocate I

Maybe.

 

I work for a company that does security risk assessment for a variety of clients.

 

Mostly HIPAA, with some financial and other frameworks/regs such as NIST CSF, ISO 27001, GLBA, NY-DFS, etc.

 

When GDPR was coming, we did some prep work to be able to help our clients with it.  We know some of our clients would need help.  We got a few inquiries, but then no requests for any formal work.  Nothing has changes.  Now with CCPA we've seen a little stuff and one client is planning a major DPIA work to prepare themselves, but not a whole lot in that area either.

 

Not sure if other companies have seen the same thing or not.

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Caute_cautim
Community Champion

@emb021Thank you for the response - I have seen here in New Zealand, some are taking it very seriously.  Given the New Zealand Privacy Law is under revision to align with GDPR and obtain its credibility again,

 

However, I know at least one company, who must be at least two years behind, and only really understanding the implications as Fintech and digital money comes into force - so they are definitely on my radar at the moment.   Yes, you guessed correctly its a Bank......

 

Regards

 

Caute_cautim

emb021
Advocate I

Yeah.

 

The one company I mentioned doing the major data privacy review is a financial company.

 

We have some other clients, some major hospitals and universities, with EU info we thought would want to do GDPR stuff, but it hasn't happened.

 

We have some clients in the retail space, but most actually try to keep very little consumer info or PII, so their risk is pretty low.

 

Some seem more worried about CCPA then GDPR.

 

We'll have to see how things shake out.

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Caute_cautim
Community Champion

@emb021Yes, very interesting.  The Data Manager also has the same concerns with CCPA and SB-327, combined with GDPR and compiled with the revisions to the NZ Privacy Act too.   Looks like 2020, will be sheer fun and more fun.

 

Thanks once again

 

Regards

 

Caute_cautim

AppDefects
Community Champion


@Caute_cautim wrote:

 

Latest news on state of GDPR penalties:  https://securityintelligence.com/news/weekly-security-news-roundup-gdpr-fines-imposed-total-e114m-th...

 


Seriously? GDPR fines do NOT work. They are not even close to living up to what was "advertised". Do you really think big tech cares? It's the cost of doing business. I'm an advocate of giving out jail time. You want change? That is what to advocate your law makers for.

JKWiniger
Community Champion

Overall, I think GDPR is a good thing and a step in the right direction. People have said companies in the US are just ignoring it, but give it some time! It seems like the EU is policing and feeing companies in the EU right now, which makes sense. Go after places in your own backyard and get your house in order before going elsewhere. I do believe that the EU will start targeting US companies and hitting them with fines and once this happens all hell will break loose. Places need to be pushed hard at times, just look at Windows 7. Companies have know it was going end of life for years and have the migrated everything to Windows 10, doubt it.

 

I think since the EU enacted this the US and other countries will follow with there own laws. The penalties will probably get increase after the fact like with the CAN-SPAM Act. There is no magic fix but at least taking steps in the right direction is a start.

 

John-

Caute_cautim
Community Champion

@AppDefects   Well, I agree penalties do not work - citing the New Zealand Privacy Act 1993 the current one, which is under revision to incorporate GDPR like controls, but with out the same penalties.  In fact the penalties will remain the same - NZ $10,000 which is just lush fund keep in the background and pay, if found wanting.  Or just admit, before the Privacy Commissioner launches an formal investigation, because one did inform them in a timely basis.  However, a similar law, in Australia Notifiable Data Breach (NBD), when it came into action - did have a marked improvement, as everyone popped up prior to the legislation rather like an amnesty period and volunteered to out themselves rather than be publicly penaliised. 

 

I am not sure that jail time would improve things unless under the relevant Companies Act 2006 or equivalent around the world, the Director of the organisation is held fully responsible is formally struck off, never to hold such a position again.  However, this is rarely enacted.

 

Regards

 

Caute_cautim