GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union’s General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?


There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states – similar to the US system. Different authorities have different priorities and different “appetites” for litigation or punitive action, he says.

GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.

Changing the Way You Use Data

The first hits will come for the most obvious, most tangible offenses: passwords only where there’s supposed to be multi-factor authentication, or an outdated privacy policy that doesn’t pass muster. Eventually, though, GDPR will force fundamental changes to business models, experts say.

This article originally appeared at

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.