GDPR's Scariest Provision; You've Been Warned!
Chris Gebhardt
CISO. Practical. Reasonable. Creative. Concise. Experience with FedRAMP, CMMC, ISO, SOC, NIST, and many more. Former LE SWAT Team Leader.
The entire world is wrapped around the European Union's Global Data Protection Regulations which become effective on May 25, 2018 (three days from the writing of this article.) . There are tons of rules businesses must follow under the GDPR and data subjects are recognized as having certain Rights to their data. From erasure to portability to correction. But there is one Right in the GDPR that should scare the crap out of all businesses: the Right to Compensation.
Under Article 82, Data Subjects, also known as private citizens, can bring civil actions against businesses regardless of where that business is located. Everyone is so focused on the governmental fines of 2% revenue and $20 million Euros that the Right to Compensation has gone almost unnoticed.
Article 82 is where the GDPR will be a bane for businesses around the world. I'm sure there are lawyers (barristers) just waiting to launch lawsuit after lawsuit in member states against all sorts of businesses. The burden of proof for such claims is rather simple: the business didn't erase the data subject's data or failed to correct an error amongst others.
The really scary part of Article 82 is the level of harm a data subject must show. It is practically non-existent. It allows for material and non-material harm to be considered in the penalty. Non-material harm includes things like anxiety, frustration, and distress. How do you place a value on those? We will find out shortly after the first cases are filed.
I'm not marketing any products or services so I don't consider this post the normal FUD (Fear, Uncertainty, and Doubt/Disorder.) Consider it more of a prediction of future events based solely on my opinion. I hope I can tell you in a few months that I was wrong. This is certainly one aspect of GDPR I would like to be wrong about! But I doubt it. So, consider yourself warned!
What can you do to avoid such cases? Follow the GDPR to the letter. Honor all requests received. Have a mechanism in place to handle and track such requests.
///Chris\\\
#GDPR #DataProtection #Datageddon #Privacy