GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.


  1. Tomi Engdahl says:

    Mark Scott / Politico:
    Activists and some legislators say that a GDPR-like bill to give Washington state some of the toughest privacy standards in the US was diluted by tech lobbyists

    How lobbyists rewrote Washington state’s privacy law

    Washington state was writing European-style legislation. Then corporate lobbyists got involved.

  2. Tomi Engdahl says:

    GDPR Conformance Does Not Excuse Companies from Vicarious Liability

    The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

  3. Tomi Engdahl says:

    Steve Ranger / ZDNet:
    UK’s tax authority to delete records of ~5M people from its Voice ID biometric voice security system because it did not have clear user consent, violating GDPR

    HMRC to delete five million biometric voice records

    ‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
    Steve Ranger

  4. Tomi Engdahl says:

    UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
    Yes, yes, yes, we’ve told the ICO we are doing so, says HMRC

  5. Tomi Engdahl says:

    Pitääkö data poistaa nauhaltakin, jos joku pyytää? – näin gdpr vaikuttaa varmistusnauhoihin

    EU on säätänyt kansalaisille mahdollisuuden vaatia verkkopalveluilta omien tietojensa poistamista.

    Tallennuslaitteita myyvän MultiComin toimitusjohtajan Timo Danilotschkin mukaan tietojen poistamiseen liittyy dilemma: tietojen säilyttämisvelvollisuudet voivat olla ristiriidassa EU:n suoman oikeuden tulla unohdetuksi kanssa.

    ”Jos datanpoistopyyntö on oikeutettu ja niin tehdään, voidaan samalla loukata tiedon historiallista eheyttä koskevia tai muita säädöksiä, kuten esimerkiksi kirjanpidon talleaikoihin liittyviä säädöksiä. Myöhemmin voisi olla oikeustapaus, jossa tarvitsisi todistaa, että mitä tallennettu tieto oli aiemmin, niin silloin jouduttaisiin ongelmiin, jos tietoa on jälkikäteen käpälöity”, Danilotchkin selittää.

    Ainoa käytännöllinen tapa noudattaa molempia säädöksiä samaan aikaan olisi pitää operatiivinen ja varmistuskäytössä oleva data erillään.

  6. Tomi Engdahl says:

    ”Gdpr vaikutti paljon” – tietosuojavaltuutetun työmäärä kasvoi voimakkaasti

  7. Tomi Engdahl says:

    Where GDPR goes next: How digital privacy is taking over the world

    One year on from the EU introducing its data protection laws, the impact is spreading around the world.

    Designed to update the privacy rights of internet users and ensure organisations are transparent and responsible when handling the personal information of customers and clients, the European Union’s General Data Protection Regulation (GDPR) laws came into force on May 25 last year.

    GDPR was designed to protect EU citizens’ data, but the open nature of the web inevitably means it has an impact beyond its own shores. Even companies outside of the EU will often have to comply with the data protection legislation – for example, if they offer goods or services to EU citizens or if they have a branch somewhere within the trading bloc.

    This extended reach of GDPR has lead to some unexpected outcomes. One example: European internet users looking to visit some US-based news publications may find that they can’t view the websites – instead being met with pages explaining the publication didn’t comply with the new legislation and blocked them out instead.

    Some eventually found solutions to this, while a year on from the legislation being introduced some US publications continue to only show a holding page to European visitors.

    “To a large extent in the US, most users attribute GDPR with an influx of cookie notifications and see it as an annoyance, rather than what it is: an attempt by regulators to give the consumer a level of visibility and control over what data is being collected about them,” says Tim Mackey, senior technical evangelist at Synopsys.

    But soon enough, even for businesses that have no involvement with the EU, there may be no hiding from data protection legislation as countries and regions around the world look to implement their own privacy laws, including Brazil, Japan, South Korea, India and others.

    One of those is the home of Silicon Valley, California, which is set to introduce the California Consumer Privacy Act as of January 1 2020.

    Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even although he admits himself that some may find that hard to believe.

  8. Tomi Engdahl says:

    Alfred Ng / CNET:
    On the first anniversary of GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data — Microsoft’s idea of a US privacy law would make it easier for people to protect their data. — The company’s corporate vice president …

    Microsoft wants a US privacy law that puts the burden on tech companies

    Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

  9. Tomi Engdahl says:

    Matthew Wall / BBC:
    Since GDPR, Ireland’s Data Protection Commission says it has launched 19 cross-border investigations, 11 of which focus on Facebook, WhatsApp, and Instagram — Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic …

    How Ireland became Europe’s data watchdog

    Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.

  10. Tomi Engdahl says:

    Philip Nabben / Lexology:
    In the year since GDPR took effect, a look at the first wave of decisions and fines issued by data protection authorities in EU countries — European Union, France, Germany — On Saturday 25 May 2019, the EU General Data Protection Regulation (GDPR), which aims to protect personal data including …

    The GDPR: one year on

  11. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

    The “General Data Protection Regulation” (GDPR), launched on May 25 last year, enhances the rights of internet users and imposes a wide range of obligations on companies, including that they request explicit consent to use personal data collected or processed in the European Union.

  12. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

  13. Tomi Engdahl says:

    Analysis Shows Poor GDPR Compliance in European Websites

    Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.

    The firm concerned, ImmuniWeb (formerly High-Tech Bridge), has added GDPR scan components to its existing website security test, and made this a free offering. The four visible elements of GDPR compliance that it checks are access to the privacy policy, insecure use of cookies, outdated or vulnerable content management system (CMS) components, and lack of HTTPS encryption (or use of SSLv3, which is more than 20 years old and should have finally died with the POODLE attack in 2014).

    The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.

    It is difficult to draw clear conclusions from this survey — but two things do stand out. Firstly, not a single European country displays complete GDPR conformance across all its websites. Secondly, website operators seem to draw a distinction between security and compliance. Website security issues are given higher importance (an overall 6.75% failing) than cookie protection and privacy policy issues (78.25% and 51.5% failing respectively).

  14. Tomi Engdahl says:

    Google faces Irish inquiry over possible breach of privacy laws
    Technology firm’s Ad Exchange processing of users’ personal data being investigated

  15. Tomi Engdahl says:

    UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users

    The UK’s Information Commissioner is starting off the week with a GDPR bang: this morning, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place last year that affected a whopping 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well name and address information.”

    The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018

  16. Tomi Engdahl says:

    Marriott to face $123 million fine by UK authorities over data breach

    The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.

  17. Tomi Engdahl says:

    The big picture: Privacy laws, including Europe’s mammoth General Data Protection Regulation and California’s recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

    Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

    Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

    He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly 1/4 of those provided it to him, no questions asked.
    “Companies are afraid under GDPR of telling you no.”
    — James Pavur


  18. Tomi Engdahl says:

    Sites using Facebook ‘Like’ button liable for data, EU court rules

    Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws

    According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.

  19. Tomi Engdahl says:

    “No matter what transfer mechanism you use, you end up with a conflict. The U.S. laws allow espionage against EU citizens” – Max Schrems, lawyer and privacy activist

  20. Tomi Engdahl says:

    Preclusio uses machine learning to comply with GDPR, other privacy regulations

  21. Tomi Engdahl says:

    Leo Kelion / BBC:
    Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data

    Black Hat: GDPR privacy law exploited to reveal personal data

    About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

    The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

    It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

    “Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.

    “Small companies tended to ignore me.

    “But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

  22. Tomi Engdahl says:

    Avoid the chaos of GDPR in the realm of IoT

    Faced with stricter regulations on data processing under the EU’s GDPR (General Data Protection Regulation) and a growing demand for IoT-functionality within the field of consumer devices, companies now have an important decision to make when it comes to choosing the correct IoT platform.

    In this blog post, we’ll boil it down to just one important choice you have to make.

    Failing to comply with these new regulations can result in a hefty fine of up 20 million Euros or 4 percent of gross annual turnover, depending on which sum is higher. In addition to a financial penalty, non-compliance can severely tarnish a company’s reputation and reduce trust among its customer base.

    The degree to which GDPR complicates data processing depends on the type of data collected and the way it is processed. GDPR applies to sensitive personal data, but in the field of IoT it is not always clear what this constitutes. In addition, your choice of platform dictates whether you will be affected by GDPR.

    Database-driven or P2P IoT: an important decision for any company

    Keep it simple – and secure
    The alternative to the cloud is a P2P IoT platform. Here, the client interacts directly with the device and no data is stored in the cloud.

    We also use the cloud, but the P2P technology we run simply acts like a telephone switchboard – mediating direct, end-to-end encrypted connections between the client (app on a smartphone or tablet) and the IoT device. Once this connection is established, the cloud server is out of the loop, and the connection is only between the client and the IoT device.

  23. Tomi Engdahl says:

    Miksi markkinointilupa on tärkeä myös tulevaisuudessa?

  24. Tomi Engdahl says:

    CJEU on cookies: ‘Consent or be tracked’ is not an option
    By EDRi

    Today, on 1 October 2019, the Court of Justice of the European Union (CJEU) gave its ruling on “cookie consent” requirements. European Digital Rights (EDRi) welcomes the CJEU’s confirmation that under the current data protection framework, cookies can only be set if users have given consent that is valid under the General Data Protection Regulation (GDPR). This means consent needs to be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of a user’s agreement.

  25. Tomi Engdahl says:

    Gigantin sivuston tietoturva-aukko ehti olla auki kuukauden,
    sivustolta pääsi hakemaan henkilötietoja
    Gigantti-klubi-nimisen etuasiakkuuden rekisteröintisivulla pystyi
    hakemaan puhelinnumerolla tietokannasta ihmisten henkilötietoja.
    Kyseinen tietokanta on markkina- ja luottotietoyhtiö Bisnoden
    yhteystieto- ja henkilömarkkinointirekisteri.. Gigantin
    markkinointijohtaja Sami Särkelä kertoi HS:lle sunnuntaina, että
    rekisteröintisivun lomake on ollut käytössä noin kuukauden ajan..
    Valitettavasti meille selvisi eilen lauantaina, että
    asiakastietolomakkeen koodissa oleva virhe on mahdollistanut
    sellaisten tietojen näkymisen, joka ei ole tietosuojan mukaista,
    Särkelä kertoi sähköpostitse. Hänen mukaansa järjestelmä on nyt
    suljettu, ja koodia korjataan parhaillaan.

  26. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    EU data regulator issues first-ever sanction of an EU institution, against the European parliament over its use of US-based NationBuilder to process voter data

    European parliament’s NationBuilder contract under investigation by data regulator

  27. Tomi Engdahl says:

    The CJEU rules on consent to cookies under data protection law

    Last week’s CJEU ruling in Planet49 is an important Grand Chamber decision concerning the use of cookies and the meaning of consent under the e-Privacy Directive in the light of the Data Protection Directive but also the General Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is therefore relevant for understanding the cookie obligations in the new regime as well as the old.


    The case concerned an online lottery. To participate, users had to enter their name and address and were shown two checkboxes in relation to consent for data processing before they could participate in the lottery.

  28. Tomi Engdahl says:

    Gdpr-rikkomuksista jaellaan sakkoja, näin paljon niitä on tähän
    mennessä lähetelty: “Pk-yrityksillä hyvin vähän resursseja seurata
    lainsäädännön kehitystä”
    “Varsinkin pienillä ja keskisuurilla yrityksillä saattaa olla hyvin
    vähän resursseja seurata aktiivisesti lainsäädännön kehitystä”, sanoo
    Keskuskauppakamarin lakimies Erkko Meri. Euroopan unionin yleinen
    tietosuoja-asetus (gdpr) on ollut voimassa puolitoista vuotta.
    Lokakuuhun mennessä unionin alueella on annettu ainakin 82 sakkoa
    asetuksen vastaisista toimista. Esimerkiksi Unkarissa eräälle
    yritykselle määrättiin yli 15 000 euron sakko, kun henkilötietoja
    sisältänyt yrityksen työntekijän muistitikku oli kadonnut, eikä yritys
    ollut täyttänyt ilmoitusvelvollisuuttaan. “EU-kansalaisten tietoisuus
    tietosuojaan liittyvistä kysymyksistä on noussut. Kansalliset
    viranomaiset ovat antaneet useissa jäsenvaltioissa huomattavia sakkoja
    asetuksen vastaisista toimista. Saksassa yritykselle määrättiin lähes
    200 000 euron sakko, sillä yritys ei ollut muun muassa poistanut
    sellaisten rekisteröityjen tietoja, jotka eivät olleet enää vuosiin
    olleet yrityksen . Keskuskauppakamari kertoo muun muassa
    tietosuoja-asetuksesta juridiikkakatsauksessaan, jossa perataan
    ajankohtaisia lainsäädännön muutoksia. Järjestyksessään ensimmäinen
    katsaus keskittyy työaikalakiin liittyviin lainsäädäntömuutoksiin ja
    EU-sääntelyyn. Lue myös:

  29. Tomi Engdahl says:

    Web Hosting Firm Slapped With $10 Million GDPR Fine

    $10 Million GDPR Fine Imposed on German Telco 1&1

    The German data protection regulator, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has imposed a €9.55 million ($10.64) GDPR fine on German telecoms provider 1&1 Telecom GmbH. This is described as being “in the lower range of possible fines” primarily because of 1&1′s cooperative response to the regulator’s investigation.

    The fine was imposed under Article 32 of GDPR. Paragraph 2 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

    BfDI said in a statement, “In connection with their telephone customer service, the company had not taken sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information.”

    The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1′s customer helpline to a former life partner in 2018.

    Despite saying the fine was in the lower range of possibilities, it remains a major GDPR fine against a European company. Germany had earlier imposed a fine of €14.5 million ($16.15 million) on a German real estate company for storing personal data without a legal basis, and for not implementing privacy by design. The highest fine so far was by the UK regulator against British Airways ($230 million in 2018). However, the 1&1 fine is significant for both its size, and because it does not directly relate to the organization’s computer systems, but to verbal and curated access to personal data stored on those systems.

  30. Tomi Engdahl says:

    Operaattori ei vaivautunut suojaamaan asiakasdataansa, sai lähes 10
    miljoonan euron gdpr-sakot
    Saksalainen teleoperaattori 1&1 Telecommunications sai vakavasta
    gdpr-rikkomuksesta 9, 55 miljoonan euron sakot. Lue myös:

  31. Tomi Engdahl says:

    ”Ei saa antaa tuumaakaan periksi” – Trafin tietosuojaongelmien jälkipyykki on nyt pesty

    Vuosi sitten silloisen Liikenteen turvallisuusvirasto Trafin uudesta verkkopalvelusta löytyi ongelma, jonka jälkipuintia on riittänyt vuodeksi.

    Nyt on saatu valmiiksi loppuraportti, jonka yksityiskohdista liikenne- ja viestintäministeriön tiedote ei kerro oikeastaan mitään.

    ymmärryksen tietosuojasta, tietoturvasta ja riskienhallinnasta tulee kuulua jokaisen virkamiehen perusosaamiseen.

  32. Tomi Engdahl says:

    Cookie consent tools are being used to undermine EU privacy rules, study suggests

    Most cookie consent pop-ups served to internet users in the European Union — ostensibly seeking permission to track people’s web activity — are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.

    “The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems,” the researchers argue, adding that: “Enforcement in this area is sorely lacking.”

  33. Tomi Engdahl says:

    When consent is being relied upon as the legal basis for processing web users’ personal data, the bar for valid (i.e. legal) consent that’s set by the EU’s General Data Protection Regulation (GDPR) is clear: It must be informed, specific and freely given.

  34. Tomi Engdahl says:

    Interestingly, the introduction of General Data Protection Regulation (GDPR) in May 2018 negatively impacted 42% of businesses, reducing their databases of leads. Furthermore, 44% believe GDPR made it extremely difficult to capture new leads and effectively market to them.

  35. Tomi Engdahl says:

    Dixons fined £500,000 by ICO for crap security that exposed 5.6
    million customers’ payment cards
    The fine is the maximum the ICO could levy under the previous data
    laws but had it occured following the roll-out of GDPR legislation
    Dixons may have found itself slapped with a bigger fine, he added.

  36. Tomi Engdahl says:

    Kashmir Hill / New York Times:
    As companies comply with privacy laws like GDPR and CCPA, many have insecure practices for giving users their data and some outsource user identity verification

    What’s the Price of Getting Your Data? More Data

    The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

    In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

  37. Tomi Engdahl says:

    Douglas Busvine / Reuters:
    Report: European regulators have imposed €114M in fines for data breaches since GDPR came into force in 2018; France’s €50M fine against Google is the biggest

    Fines for European privacy breaches reach 114 million euros: report

    European regulators have imposed 114 million euros ($126 million) in fines for data breaches since tougher privacy rules came into force in mid-2018, with approaches varying widely from country to country.

    In principle, regulators can impose fines of 2% or, in some cases 4%, of global turnover. In practice, they will have to judge whether such a heavy penalty would stand up in court, said DLA Piper partner Ross McKean.

    “It’s going to take time – the regulators are going to be wary about going to 4% because they are going to get appealed,” McKean told Reuters. “And you lose credibility as a regulator if you’re blown up on appeal.”

    The largest single penalty threatened so far has been in Britain, where the regulator has proposed a fine of 183 million pounds ($239 million) against British Airways owner IAG over the theft of data of half a million customers.


Leave a Comment

Your email address will not be published. Required fields are marked *