GDPR: Restoring Faith in Data Privacy

Data protection is a hot topic, especially after the Facebook and Equifax debacles. However, it has always been the subject of serious attention by enterprise security executives and compliance officers.

The Facebook and Cambridge Analytica scandal is a good example of the consequences of mis-utilisation of data and also reminds us of the need for strong data regulation laws rather than self-regulation or guidelines. The dilemma of government control vs. private control on public data has always been a matter of debate and will continue to be so. However, GDPR will bring a multitude of checks and a control on organisations who are responsible for holding public data.

GDPR (General Data Protection Regulation) will play a crucial role for both the organisation and consumer by helping restore the faith lost in organisations that use personal data. It means implementing strict rules for organisations and backs this up with potentially serious consequences in cases of noncompliance and violation. GDPR compliance demands more than basic data-loss prevention or just post-data-loss reporting. It also demands that organisations set pre-defined protocols and precautionary measures to prevent data-loss in the first place. It also advises organisations on using predictive tools to anticipate attacks and take appropriate action against the exploitation of potential vulnerabilities.

GDPR enforcement:  When and on Whom?

  • Starting 25th May 2018, GDPR will be enforced on all organisations who have offices operating in the European Union (EU), do business in countries in the EU, even if based elsewhere, or firms that are directly or indirectly involved with data management concerning EU citizens. Basically, all organisations that are involved in processing, storing, or transmitting personal data of EU citizens will be obliged to comply with GDPR irrespective of where they are based.
  • In addition, this regulation replaces Data Protection Directive 95/46/EC and adds various clauses, checkpoints which are far stricter than earlier Data Protection Directives.
  • It also broadens the definition of data protection and the type of data that is regulated to include genetic, medical, economic, cultural, and social data.
  • GDPR will evaluate data protection and the overall level of security to determine whether the organisation is covered by the GDPR regulation.

Key GDPR challenges

Key GDPR Challenges

Key challenges with the new GDPR regulations:

  • Under GDPR, regulations are complex, with close to 500 requirements that will affect governance and cyber-security.
  • It is mandatory for organisations to notify authorities within 72 hours of becoming aware of any breach. This demands better data breach detection and fast response capabilities. However, many organisations are currently struggling to identify and investigate data breaches within the given time frame, which leads to visibility gaps that delay investigations. Also, non-standardised processes and lack of efficient analytics to detect anomalies further impact the time frame.
  • Implementation of GDPR must start from the initial development stage of applications. It will be mandatory for all developers to add an extra layer, to test for vulnerabilities, as application vulnerabilities could lead to accidental or unintentional data loss. Application developers need to reconsider risk and privacy during the design process, and security professionals need to find better ways to protect applications in use today.
  • Violations enforced by GDPR across 28 different EU countries will be up to €20 million or 4 percent of the company’s worldwide annual revenue, whichever is greater. Hence, small-scale companies will face concerns on potential fines in case of violations. In addition, penalties have been discussed separately in the GDPR, which also include:
    1. Penalties for noncompliance of customer consent clause.
    2. Penalties for noncompliance of maintenance of records.
    3. Penalties also apply to both controllers1 and processors2. Hence, cloud providers are not exempt as they can be data processors.
  • The adoption of these regulations will not only increase the overall data management and cloud services costs to organisation, but can also increase things like the IoT services cost per device, which, up until this point, have been relatively low. Chinese global players especially will need to ensure IoT modules are embedded with keys (hardware security) to ensure authentication and strong cloud security.

Consumer Consent:  A lawsuit against Vizio for snooping on users’ viewing habits and settled only for $2.2 Million. However, under GDPR penalties and implications of such scenarios will be far higher.

  • Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio went one step ahead and retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without informing consumers or getting their consent.
  • Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. Vizio also identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts which contributed to as many as 100 billion data points each day from millions of TVs.
  • Vizio sold the consumers’ viewing histories to advertisers and personal viewing habits to content providers. The company even provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home-ownership. Vizio allowed these companies to track and target its consumers across devices.
  • Vizio had to pay $2.2 million to settle a lawsuit, which alleged that the company was secretly collecting user data and selling it to third parties.
  • Were this case to have been in the EU and under GDPR, the penalties would have been more severe.
Source: Federal Trade Commission v. Vizio Inc. (No. 2:17-cv-00758) 2017

Vizio Settles for $2.2M Lawsuit over spying Smart TV Consumers

What does GDPR bring to the table?

  • IoT applications and solutions will generate huge data, some of which can be personal data. The sustainable growth of the IoT ecosystem will depend on securing this data. The implementation of GDPR will play a crucial role in the smooth growth of the IoT ecosystem.
  • GDPR is changing the level of awareness on customer data protection and increasing accountability on collecting customer data. As well, boosting confidence within the consumer community and reputation of the organisation.
  • Standardisation of security policies with a strictness on data protection practices that will lead to organisations’ preparedness with requirements and preparation for core-business plans. However, the major goal of GDPR is not only to provide “ready to use” guidelines for the organisation, but also keep day to day checks on the organisation to ensure that they opt for notification of data loss over the good press.
  • The race of digitalization has already pushed many organisations to adopt cloud-based data management. However, most of this data is stored either without encryption or lack of multi-factor authentication to access cloud services. However, after the GDPR implementation, all these organisations will be accountable, not only in case of loss of data, but on protocols and methodology of data protection.
  • GDPR will not only develop a governance framework for the program and assist with technology implementation activities, but it will also become a marketing and advertising buzzword for cyber-security solution providers.


Data use has the power to potentially change the viewpoint of a nation and influence personal choices that go beyond the concern of privacy. Going forward, data will be among the most valuable assets and its protection will be mandatory. The rate of attacks for data acquisition will always tend to increase. However, regulations like GDPR ensure that organisations will pay attention to security. Together with GDPR and other compliance regulations, governments and industry authorities, such as the National Institute of Standards and Technology (NIST), are stepping up to enforce privacy, safety and security regulations on IoT manufacturers. Moreover, the enforcement of GDPR has already created a ripple effect across the world, for example, China’s Personal Information Security Specification has already been implemented from 1st May 2018 and the formulation of India’s Data Protection regulation law is already in motion.

The industry is analysing advantages and disadvantages of GDPR. However, we believe it will push organisations to add an extra level of security, which some considered an unnecessary expense. The major changes in terms of organisational budgeting of data security and staff training on data protection will be mandatory. Overall, GDPR will keep organisations on their toes – the potential costs of getting it wrong have just become much greater.

1 Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
2 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Counterpoint research is a young and fast growing research firm covering analysis of the tech industry. Coverage areas are connected devices, digital consumer goods, software & applications and other adjacent topics. We provide syndicated research reports as well as tailored. Our seminars and workshops for companies and institutions are popular and available on demand. Consulting and customized work on the above topics is provided for high precision projects.

Term of Use and Privacy Policy

Counterpoint Technology Market Research Limited


In order to access Counterpoint Technology Market Research Limited (Company or We hereafter) Web sites, you may be asked to complete a registration form. You are required to provide contact information which is used to enhance the user experience and determine whether you are a paid subscriber or not.
Personal Information When you register on we ask you for personal information. We use this information to provide you with the best advice and highest-quality service as well as with offers that we think are relevant to you. We may also contact you regarding a Web site problem or other customer service-related issues. We do not sell, share or rent personal information about you collected on Company Web sites.

How to unsubscribe and Termination

You may request to terminate your account or unsubscribe to any email subscriptions or mailing lists at any time. In accessing and using this Website, User agrees to comply with all applicable laws and agrees not to take any action that would compromise the security or viability of this Website. The Company may terminate User’s access to this Website at any time for any reason. The terms hereunder regarding Accuracy of Information and Third Party Rights shall survive termination.

Website Content and Copyright

This Website is the property of Counterpoint and is protected by international copyright law and conventions. We grant users the right to access and use the Website, so long as such use is for internal information purposes, and User does not alter, copy, disseminate, redistribute or republish any content or feature of this Website. User acknowledges that access to and use of this Website is subject to these TERMS OF USE and any expanded access or use must be approved in writing by the Company.
– Passwords are for user’s individual use
– Passwords may not be shared with others
– Users may not store documents in shared folders.
– Users may not redistribute documents to non-users unless otherwise stated in their contract terms.

Changes or Updates to the Website

The Company reserves the right to change, update or discontinue any aspect of this Website at any time without notice. Your continued use of the Website after any such change constitutes your agreement to these TERMS OF USE, as modified.
Accuracy of Information: While the information contained on this Website has been obtained from sources believed to be reliable, We disclaims all warranties as to the accuracy, completeness or adequacy of such information. User assumes sole responsibility for the use it makes of this Website to achieve his/her intended results.

Third Party Links: This Website may contain links to other third party websites, which are provided as additional resources for the convenience of Users. We do not endorse, sponsor or accept any responsibility for these third party websites, User agrees to direct any concerns relating to these third party websites to the relevant website administrator.

Cookies and Tracking

We may monitor how you use our Web sites. It is used solely for purposes of enabling us to provide you with a personalized Web site experience.
This data may also be used in the aggregate, to identify appropriate product offerings and subscription plans.
Cookies may be set in order to identify you and determine your access privileges. Cookies are simply identifiers. You have the ability to delete cookie files from your hard disk drive.