This article originally appeared in Security Info Watch on September 7, 2018.

Just three months after its official implementation, the European Union’s General Data Protection Regulation (GDPR) is already having negative financial repercussions for at least one large multinational organization, albeit in a way not many anticipated.

 

A shareholder of Nielsen Holdings, the market research firm best known for tracking television show ratings, recently filed a lawsuit against the company claiming that its senior leadership, including its CEO and CFO, intentionally misled investors about their preparedness for GDPR and the impact it would have on the company. The shareholder claims that Nielsen would later blame GDPR for missing its 2018 financial projections and that the company’s stock lost more than a quarter of its value as a result.

 

“Companies are realizing and waking up to the fact that they are responsible for their own (data protection) and all of the other partners they do business with that interact, create or transact their customer data with them.”

 

One law firm is even looking to bring a class section lawsuit against Nielsen as part of an effort to hold the company accountable for the alleged misleading readiness claims and the overall value that shareholders lost. In addition to making misleading claims about its preparedness, Rosen Law Firm, the global investor rights law firm that is seeking class action status for the case, also claims that Nielsen was more reliant on third-party data providers than they had previously disclosed and that the company was significantly impacted by privacy policy changes at those respective companies.

 

“Nielsen’s financial performance was far more dependent on Facebook and other third-party large data set providers than previously disclosed, and privacy policy changes affected the scope and terms of access Nielsen would have to third-party data,” the law firm said in a statement.

 

According to Chris Olson, CEO of The Media Trust, a firm that helps companies address security and privacy issues on their apps and websites, this lawsuit should serve as a “significant wake-up call” because many companies are operating under the erroneous belief that GDPR and other data compliance regulations begin and end with their own data protection practices.

 

“Companies are realizing and waking up to the fact that they are responsible for their own (data protection) and all of the other partners they do business with that interact, create or transact their customer data with them,” Olson says. “There are going to be ramifications to their business because most of their data tracking and collection is in the digital assets sphere and it involves other parties who are enabling them to do it effectively.”

 

Matan Or-El, Co-founder and CEO of Panorays, which offers automated third-party security management services, believes the Nielsen lawsuit could even set a legal precedent that leads to more regulations in the future.

 

“Companies will have to institute a full strategic plan with standards, rules and procedures for securing data privacy and supply chains, and effectively demonstrate that they took all reasonable precautions to protect the personal information of their customers. Part of that plan should include informing the CEO and board of directors on an ongoing basis of advancements in achieving full GDPR compliance and reporting any possible pitfalls,” he explains. “The problem that companies are encountering with GDPR is that it’s a collection of standards regarding data, privacy and security but open to discussions and interpretation as to what are the exact processes to put in place, what is the best framework and how to implement it.”  

 

Mixed Approaches to GDPR Thus Far

 

While some companies have taken the implications of GDPR on their businesses very seriously and have become leaders in ensuring compliance and security is a high priority throughout the enterprise, Olson says some are simply adopting measures that are convenient and that others are still taking a wait-and-see approach.

 

The problem with such a lackadaisical mindset towards GDPR, according to Pravin Kothari, CEO of CipherCloud, a provider of cloud security and governance solutions, is that the civil penalties for violating the regulation, be they in form of fines or lawsuits, is immense and that the power EU citizens now have to exert control over their personal information is unprecedented.

 

“There is no doubt that the responsible authorities will find many large enterprises with incomplete compliance and will seek to create examples by leveraging large and heretofore never seen unbelievably large compliance penalties,” Kothari says. “All of this creates a strong incentive for multinationals to maintain best practices for data security and threat protection.”

 

Bolstering Data Protection

 

Regardless of the type of approach companies have taken to GDPR up to this point, Gabriel Gumbs, VP of Product Strategy for cybersecurity software firm STEALTHbits Technologies, says it’s never too late to put a data protection program in place that addresses the requirements of the regulation. Among the five steps that Gumbs advises organizations take to avoid running afoul of the regulation include:

1. Appointing a data protection officer.
2. Locate all EU citizen data throughout your systems.
3. Apply a least privilege model to all EU citizen data (granting a limited set of privileges for people to get their jobs done but no more than that).
4. Generate compliance artifacts surrounding all processing activities (demonstrating accountability and transparency in all decisions regarding personal data processing activities).
5. Prepare for data subjects to exercise their rights.

For companies that want to better prepare for GDPR or any other data security regulations passed by lawmakers, Olson recommends that they examine their digital presence to understand the companies they work with to create their consumer experience and then conduct a “deep dive” on the data collection practices that are happening within that.

 

“If you feel like you’ve got a very full understanding and a plan of exactly what you’re going to do, more than likely you’re in pretty good shape because you’re already in the mindset that you’re considering all of the third parties you’re doing business with that touch the consumer,” Olson explains. “If you find you don’t really know your digital asset or you don’t understand what companies are rendering on your website – what cookies they may be dropping and the collection activities they’re up to – then that’s probably a decent reflection of what’s happening internally and your holistic enterprise view.”

 

According to Kothari, all large enterprise and multinational corporations need to have a comprehensive strategy for the deployment of encryption and pseudonymization solutions for data to better protect themselves moving forward.

 

“Controls for all software applications, security, and infrastructure must support the varying data privacy, data protection, data sovereignty, and data residency requirements that multinationals require on a country-by-country or even a state-by-state basis,” he adds. “These must work for applications that run on-premise, in public clouds, in private clouds, and in almost any variety of hybrid configurations.”

 

If companies by and large don’t get their act together with regards to GDPR and lawsuits like the one recently filed against Nielsen and begin to catch on globally, Olson says the consequences could be severe.

 

“This idea that there is a lot of money to be made in protecting the ‘consumer’ – there is a lot of political benefit to showing yourself as protecting consumers if you’re a lawyer wanting to become a politician – if that catches on in digital data, it’s going to get bad,” Olson says. “It will also be out of control because it’s not going to be governments enforcing regulations but rather a capitalist endeavor.”