Tag Archives | gdpr

GDPR Countdown: How Facebook & Other Companies are Bracing for Regulatory Impact

General Data Protection Regulation images, GDPR, EU, right to be forgotten

In just a couple of months, the General Data Protection Regulation (GDPR) in Europe will require companies to obtain consent before collecting user data from those in the European Union and United Kingdom.

This new set of regulations will give internet users more control over personal data, including user name, photos, email addresses, phone numbers, mailing addresses, banking information and social security numbers. With the GDPR, users will have a set of guaranteed rights, including the rights to edit, transfer or delete any of the data companies collect about them.

Regulatory Impact on Facebook and Others

The GDPR poses one of the biggest regulatory challenges in history for companies like Facebook, which is incredibly reliant on user data collection and analysis. Analysts are still unsure of how large an impact the new regulations could have on Facebook or how strictly they’ll be enforced.

For example, exactly which types of personal data (for instance, location, mobile device ID numbers and IP addresses) the regulations do not apply to is not overtly clear. Additionally, according to Morgan Stanley analyst Brian Nowak, “‘Legitimate interest’ is an exception that essentially removes the need to get consent from consumers to use their data if it can be demonstrated that the company collected data legally, used it justifiably and processed it responsibly.” This exemption will likely apply to data used to prevent fraud or other crimes, but the scope of the exemption is not presently clear.

Facebook collects a plethora of user data to optimize its massive online advertising business. Under the GDPR, Facebook must obtain consent from its users in the EU and UK. Furthermore, its online advertisers who gather user data will have to obtain consent, too. If regulators require active, periodic consent, it’s possible that users would be regularly asked to opt in to data collection. This opt-in process could cost Facebook valuable data.

Prepare – Or Pay the Price

Many companies are unprepared to comply with the GDPR, or completely unaware that its rules will apply to them. Those that don’t comply will face penalties of up to 4% of their annual global turnover or €20 million, whichever is greater. Companies that are hacked and attempt to hide the cyber attack from customers could also face penalties.

TechRepublic reports that, in a recent survey conducted by data management provider Solix, 22% of organizations don’t realize that they must comply with the GDPR if they hold EU and UK citizens’ data, even if they’re based outside of the EU and UK. Additionally, a government report cited in a recent ZDNet article said that fewer than half of businesses understand the new legislation or are taking steps to prepare for compliance.

Assess your liability using this helpful chart and related resources provided by Tech Republic.

Cyber Security Tools for Today’s Environment

Whether the GDPR applies to your company or not, a robust cyber security plan is a must for protecting your company and your customers from potential threats. IEEE offers Cyber Security Tools for Today’s Environment, an 11-course training program for technical professionals across all industries who require up-to-date information on how to protect enterprise networks from potential threats. Get the training your organization needs now to remain secure.


Duggan, Wayne. (16 March 2018) Facebook Faces a Major Regulatory Hurdle. U.S. News & World Report.

Gilbert, Jody. (16 Mar 2018). Time is running out on GDPR compliance: Find out if you’re affected. TechRepublic.

Palmer, Danny. (25 Jan 2018) GDPR: Deadline looms but businesses still aren’t ready. ZDNet.

Continue Reading 0

GDPR Readiness Gap: Survey Finds Companies Overconfident & Underprepared

GDPR Compliance 2018 IEEEA vast majority of the world’s largest organizations believe they’re prepared for the General Data Protection Regulation (GDPR). But they’re not.

At least, that’s according to international law firm, Paul Hastings, which surveyed general counsel and chief security officers from 100 FTSE and 100 Fortune500 companies. Of those, 98% of the Fortune companies think they’re good to go on GDPR compliance, compared with 94% of the FTSE enterprises.

“Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget,” Behnam Dayanim, partner and global co-chair of the privacy and cyber security practice at Paul Hastings, stated.

Based on that criteria, very few of the major corporations surveyed by Hastings have actually taken the basic but necessary steps to ensure compliance:

  • 43% are creating an internal GDPR task force, with 39% in the UK versus 47% in the U.S.
  • 33% overall are hiring a third-party to conduct a GDPR readiness gap analysis, and roughly the same percentage are hiring an outside consultant or counsel to assist with GDPR
  • 29% of UK companies report hiring a data privacy officer, which seems low until you compare that to 18% in the U.S.
  • And as far as setting a GDPR compliance budget goes, a scant 10% of UK firms have done so

The new law – which will be enacted in May 2018 – impacts companies that do business with Europe, and how they collect, process, and store personal data about European Union (EU) citizens. Failure to comply risks fines of up to €20 million or 4% of global turnover, whichever is higher.

With time counting down and so few companies performing key compliance measures, Dayanim believes it’ll be a race to the finish line for those needing to abide by this disruptive and far-reaching regulation. “This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives,” he added.

Continue Reading 0

GDPR will Help Enhance Cyber Security

GDPR cyber securityOn May 25, 2018, the EU General Data Protection Regulations (GDPR) go into effect. This broadly-reaching set of regulations related to how personal data is collected, processed, and stored, is causing fundamental shifts in the way organizations approach personal data. And rightly so: the fines for non-compliance are significant, at 4% of annual global turnover or €20 Million (whichever is greater). GDPR cyber security will greatly impact internet of things (IoT) device developers, as these devices typically collect and transmit a great deal of personal data. It will no longer be acceptable to create IoT devices with weak security measures, as the manufacturers themselves may be held liable for data breaches caused by poor design.

The good news for consumers is that organizations must take the cyber security of personal data into account as part of their efforts to comply with GDPR cyber security requirements. Data privacy and data security, long considered separate things, are becoming intertwined thanks to these new regulations. Andrew Burt, Chief Privacy Officer and Legal Engineer of Immuta, states, “2018 will prove that cyber security without privacy is a thing of the past.” (Forbes) Article 32 of GDPR provides specific guidance related to data security and breach notification. Among other things, data controllers and processors are advised to include:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Heimes)

It is advisable for organizations to begin now to make data privacy a part of their operational GDPR cyber security strategy. No matter where your organization falls within the process, from creating devices that collect and transmit personal data, to collecting personal data, to processing or storing data locally, on the edge, or in the cloud, the cyber security of personal data is a pressing concern. Hackers regularly target this type of information, and news stories about large data breaches are becoming commonplace. Every organization that falls within range of the EU GDPR requirements must reevaluate their cyber security strategy.

Does your organization need to begin implementing a cyber security strategy? Start with the IEEE online course program Cyber Security for Today’s Environment.



Olivi, G. (2017, Nov 24). Cybersecurity and GDPR: Where We are Heading. DLA Piper Privacy Matters.

Press, G. (2017, Nov 26). 60 Cybersecurity Predictions for 2017. Forbes.

Heimes, R. (2016, Jan 6). Top 10 Operational Impacts of the GDPR: Part 1 – Data Security and Breach Notification. IAPP.


Continue Reading 2

IoT and Data Privacy

IoT Data PrivacyThe Internet of Things (IoT) can produce massive amounts of data. This data has to be transmitted, processed in some way, and then potentially stored somewhere, hopefully securely. (Pollmann, 2017) Much of this data is personal data, and some can be quite sensitive. This brings data privacy questions to the forefront. How secure is the data that is generated by IoT devices? How is it used? What happens to that data once the process is complete? IoT data privacy is key.

When considering data privacy regulations around the world, particularly those required by the EU’s General Data Protection Regulations (GDPR) that go into effect in May of 2018, the amount of data generated by the growing IoT is a pressing concern. Both developers and consumers of IoT devices will be held responsible for their use of personal data.

Questions to Consider for IoT Data Privacy

Some of the questions that IoT developers and consumers need to consider:

  • What personal data does my IoT device collect about others?
  • Where is that data sent?
  • How is the data used?
  • Is all of the data collected used, or is there information the device should not collect?
  • Does anyone else have access to the data?
  • Where is the data ultimately stored?
  • How long is the data kept?
  • Do we need to build in an expiration time frame for data storage?
  • How secure is that data during transfer and storage?
  • How will consumers be notified if there is a data breach?

The fines for non-compliance with personal data regulations can be millions of dollars/euros, so it is essential that IoT device manufacturers, as well as those that use them, take the time to understand these regulations, and then consult with attorneys on an approach to personal data use, transfer, and storage. IoT data privacy needs to be built into these devices from the ground up, so that personal information remains secure.

Is your organization developing IoT devices? How do you take IoT data privacy into account? Please share your thoughts and experiences in the comments.

And to learn more about the Internet of Things, check out IEEE Guide to the Internet of Things. This course program will provides the foundation that you need to understand the Internet of Things and some of its industry applications.



Pollmann, M. (2017, September 25) IoT data is growing fast, and security remains the biggest hurdle. IoT Agenda.

EU General Data Protection Regulation Portal.

Continue Reading 3