Friday, July 6, 2018

Compuware Topaz for Enterprise Data – delivers a trifecta of benefits

By Rich Ptak

Graphic courtesy of Compuware, Inc.
With the announcement of the latest release of Compuware Topaz for Enterprise Data, the company leverages Topaz’s modern interface for fast, simple access to data for testing and other purposes…critical to digital agility. Specifically, Topaz for Enterprise Data provides a powerful combination of data visualization, extract and load, and advanced data masking capabilities so companies can get maximum value from their high-value data.

“But, that’s what Topaz was designed for and has been delivering for some time!” - you say. True. However, this time the focus is on a long-festering problem that the pursuit of digitization and agile development has raised to a critical issue. Here’s the story.

Digitization, mainframe mainstreaming, KPIs & GDPR

Enterprises are realizing that DevOps on the mainframe is necessary if they want to be digitally competitive. As Compuware CEO Chris O’Malley often says, “big no longer beats small, fast beats slow.” Good test data management – and the tools that enable it – are core to DevOps. Without them, you can’t understand data and data relationships, automate unit testing and ultimately shorten development cycles, making it virtually impossible to bring high-quality deliverables to market faster.

Historically, enterprises have been unable to exploit the full business value of their data due to their reliance on siloed tools, ad hoc manual techniques and slow processes. They also had to rely on subject matter experts when working with disparate databases or when it was necessary to create and manage custom data sets. Exacerbating these problems was –and continues to be –the shrinking mainframe workforce and the transfer of platform stewardship to mainframe-inexperienced developers who are, rightly so, averse to tools that lack integrations and automation and are too complex and hard to use.

The Tide is Changing

The rise of the digitized enterprise raised management interest in mainframe operations. The mainframe as a data repository is a cornerstone to enterprise digitization. As a result, business management interest in the mainframe resulted in significantly increased pressures on DevOps for faster development of new and extended services that involved more complex data relationships and varied sources. The mainframe’s role in the success of the digital economy becoming more visible and recognized meant more focus on being able to measure and monitor performance and progress. Data management for code testing, agile development techniques, data visualization and automation became critical issues in mainframe DevOps.

The digitized enterprise raises the stakes to continuously monitor and raise performance base on business KPIs – Velocity, Quality, Efficiency, Privacy for all IT operations
Data protection during development and testing, especially when outsourcing, is also a top concern. The publicity and controversy resulting from abuses and lack of serious security in public data management increased interest in and awareness of GDPR. The result has been a dramatic escalation of concerns over and discussions of the legal responsibility implications of data security to preserve data privacy.

As senior mainframe professionals retire, and a new generation of DevOps staff take over stewardship of the mainframe, Topaz for Enterprise Data ensures that any sensitive business or personal data extracted from production is properly masked for privacy and compliance purposes, while preserving essential data relationships and characteristics.

Further, IT staffs are realizing the integral role data management plays in velocity, quality, and efficiency, as well as privacy. Creating mainframe KPIs to continuously drive success in these areas – and having a tool such as Topaz for Enterprise Data to ensure good data management throughout the lifecycle – is critical to long-term success in today’s digital-centric markets.

Topaz for Enterprise Data – That and More

Through the single, consistent user interface of Topaz for Enterprise Data, IT developers and operations staff can manage, edit, manipulate, analyze and view the disparate collection of data types and applications available to today’s mainframe. Developers can access and manage data of different types from diverse databases. Customized test data sets and subsets are easily created, anonymized and manipulated in a straightforward manner. Disguised sets and subsets of sensitive data can be created and stored for test runs, while maintaining the integrity of data relationships across multiple environments. All done without requiring the help of data specialists or experts in data analytics or specialized cross-database knowledge. The programmer has now become self-sufficient.

The Final Word
Compuware delivers once again by expanding its portfolio of new, improved and extended solutions that pave the way to broad mainframe popularity and extended application. Their approach is based on accelerating and applying agile development solutions that make the mainframe increasingly attractive and easier to use by millennial DevOps and management staff.  

Today’s enterprises are all about digitization and digital agility goals. Enterprise managers rely on KPI’s to track DevOps performance and data management as measured in terms of velocity, quality, efficiency and privacy protection. Reliance on inefficient, labor-intensive manual processes and tools frustrate the achievement of KPI goals. In Topaz, Compuware combines disparate manual tools and processes under a common UI and facilitates automation of complex processes to assure reliable, consistent, secure and speedy data management and exploitation.

The payoff with this latest version of Compuware’s Topaz for Enterprise Data will be seen not only in improving performance as reflected in KPIs. But also, in better, more efficient utilization and, importantly, increased the satisfaction of valuable staff. For 15-quarters now Compuware has been refining their vision and implementation processed to mainstream the mainframe. Consider the effort and time spent over the last 50 years to identify and resolve problems associated with mainframe operations, management and applications. Further, consider that Compuware’s impressive contributions have consistently been created and delivered faster than competitors. We believe that the Compuware team deserves significant credit for a job very well done. Check them out.   

Publication Date: July 6, 2018

This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC. 

To obtain reprint rights contact

All trademarks are the property of their respective owners.

Sunday, June 24, 2018

Risky Data 4 – Risks and tactics as GDPR goes live!

By Bill Moran and Rich Ptak 

Image courtesy of European Commission

We’ve already discussed GDPR planning, focusing on general areas, e.g. security, that all companies should take seriously. Now, we address specific actions potentially necessary for GDPR conformance. The requirements will vary by industry and product type. We assume strict adherence to GDPR requirements and deadlines[1]. We focus on companies without a physical EU presence that may currently be doing business with its citizens/residents.

To enter or not…

First, determine the potential amount (volume) and value from existing or future EU customers. This includes residents/citizens that purchase products or services directly or over the internet. You need to determine the total value of EU business. Avoiding accounting details, business value is revenue less the expense and costs associated with product/service creation, demand generation, and delivery, etc. It includes customs, duties or taxes that you may pay to the EU.

Next, determine (estimate) what it will cost you to comply with the full GDPR. This, along with business value are the critical inputs for the decision. If the business value exceeds GDPR compliance costs, then you may want the business and will comply with GDPR. Done, almost[2].

However, if the compliance costs exceed the projected value, you may want further analysis before deciding. Is it possible to increase the business value with a price increase? Can you reduce compliance costs? Can you amortize costs across your total customer base[3]? Or, you can withdraw and refuse EU purchases. Finally, other relevant factors may affect the decision, so follow your organization’s procedures.[4]

Whatever you decide, you may still be impacted by GDPR, as we reveal below.

So, what’s happening now…

Some US newspapers and magazines, not wishing to conform to GDPR regulations, have terminated EU subscriber subscriptions[5]. Similarly, others may decide to back away from EU business. Note that doing this will still require scrubbing all EU customer information from databases.

In addition, some form of screening will be necessary to prevent EU residents/citizens from subscribing in the future. For example, require new customers to certify non-EU status. This should help to circumvent attempts at concealing actual status.


On the other hand, withdrawing a popular product from market makes it scarce. Scarcity can increase market value. This happened when government pressure in India forced Coca-Cola to withdraw from the Indian market. Smuggled Cokes became a quite valuable status symbol. Depending on the product, a profitable resale market in the EU could result.

However, a large profit potential can encourage efforts to falsify required certification. Unless actively supported by the US company, we don’t see a risk to the company. If a good faith effort is made to block EU- customers (i.e. requesting certification of non-EU status), a violation may be avoided.

GDPR requires significant customer control over their data. To comply, some companies are proactively requesting customer acceptance and authorization for collecting and storing identification data at login and on a website. If properly worded and presented, this can satisfy the GDPR requirement for consumer authorization. However, it also imposes another GDPR requirement. The collecting entity must respond in a fixed time-period[6] to consumer requests to either provide or eliminate ALL individual information resident in their databases, extending backwards and into the future. More on this later. 

Potentially risky scenarios

Another concern arises when a non-EU citizen customer moves to the EU on an assignment. It may be temporary or permanent[7]; either way, this raises questions. They wish to continue as a customer. If they inform you, you must make a choice. How long is the assignment? Does it qualify them as an EU-resident? If so, and you reject them, you lose a customer. If you keep them, GDPR kicks in. What to do?

First, it is not even obvious how to assure this situation is detected. A change in shipping address would be a clear indicator. Depending on the nature of the product/service, they might not notify or request an address change. Periodic requests for recertification (of non-EU residency) would be cumbersome, and off-putting to customers. Second, once the move is known, you must decide either to keep or terminate them. If you keep them, you become subject to GDPR. If you terminate, the risk is a lost customer upon a return from the EU, inevitably you will be blamed for any inconvenience.

Other questions arise. How long does a “temporary” assignment last before the EU asserts residency applies? What are the ramifications of providing service for “long-term” temporary residents? These need clarification.

A different problem arises for a company doing business with a multi-national firm (MNF). The MNF will fully comply with GDPR. The MNF can request its suppliers certify compliance or intent-to-comply with GDPR with 3rd party- or self-certification. It may or may not be mandatory, but compliant firms receive preferential treatment. A decision will balance GDPR implementation costs & risk of GDPR violation versus the value of the multi-national as a customer. The effort and cost of compliance involve multiple issues beyond the product/service, including commitments such as warranty support, inquiries to the supplier, special agreements, and so forth.

In another case. The MNF does not require GDPR certification but provides your product to employees worldwide. If there is never contact with EU-resident employees, no problem. If there is direct contact[8], retaining any information on them violates GDPR. One solution, if the MNF routes EU-resident employee queries through a non-EU resident who then handles all communication, then all is well. Still, if any MNF EU-employee’s information, telephone number[9] or email address, is entered into any of your corporate systems, a potential problem is created. A process to avoid storing any identifying information is needed.

Depending on your situation you may need to restrict customers from exporting your product to EU countries. One can imagine situations where a lifesaving product would be blocked from sale in the EU.  When this situation arises, the GDPR policy will have a problem.

Another challenge occurs in handling EU citizen/resident walk-in business. A cash purchase is no problem, a credit card purchase is. Retaining their name and credit card information invokes GDPR rules. Our recommendation is to delete all information about that customer as soon as possible. Potentially, there is the option of refusing use of a credit card; but you need to carefully consider this case and the potential negative effect on business.

Unfortunately, some firms, say an airline like JetBlue, must retain information on all customers until after the product/service is delivered. JetBlue must retain passenger identity information until the flight completes. They will have to comply with GDPR or ban EU residents/citizens from their flights.
One further regulation issue relates to erasure of an individual’s data including archived data. Companies may not have considered this when setting up their databases. Even companies deciding against FUTURE business with EU customers, but with past data on their systems are subject to this. We are convinced this will be costly to implement. Thus, GDPR has created a situation where you must comply with one of its most costly requirements, even as you try to avoid its clutches.

Finally, many companies will need a process to handle questions from EU-citizens/residents. You will want a professional response to such communications. However, to avoid GDPR requirements, you cannot retain any identifying information on the person requesting information. A process is needed. Since many of these communications will come by email, you now need a procedure to delete their information from your email system. You probably want a procedure to notify the sender that this is happening because of GDPR. 


We are not foolish enough to believe that we have exhausted this topic. Over time many other situations will arise. We have focused on some key points to consider in developing a response to GDPR. Let us recap.
  •          Some form of GDPR is coming worldwide. The massive disclosure of people’s information will not be allowed to continue. Therefore, tightening-up security along with similar GDPR policies makes sense. It is better to do something in a planned manner rather than wait until it becomes a requirement with possible penalties for non-compliance.
  •         The EU will attempt to enforce GDPR against companies on a worldwide basis. We assume that they will, at least partially, succeed. Therefore, it is prudent to act to avoid falling afoul of the regulations. It is possible that this effort will fail in some jurisdictions[10].  In that case, we believe a local form of GDPR will still be enacted. 
  •          Even without an EU presence, there are business decisions to make. You must determine how much business you currently have with EU citizens/residents. You need to decide the value of this business versus the cost of complying with the GDPR. There exists the complication of doing business with a multi-national company that wishes GDPR compliance.
  •           If you decide that you want to avoid the cost of GDPR compliance, there are still some steps to take to ensure that corporate systems do not contain any EU resident/citizen information. Remember; this is not just a one-time effort; it must be continuous.
  •           Finally, prudent business managers will take account of GDPR requirements and their inevitable spread in planning for the future.
Our research convinces us that some GDPR policies, especially those recognized as Best Practices, will prove beneficial. The unrealistic and awkwardly articulated parts will likely be resolved over time. We advise IT and business managers to work together to identify and implement relevant requirements.

Publication Date: June 24, 2018
This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC. 

To obtain reprint rights contact

All trademarks are the property of their respective owners.

[1] Although we believe that due to real-world limitations there will be interpretive leeway in GDPR requirements.
[2] A decision to comply with GDPR means it is necessary to comply with requests to completely erase any current and prior information on an individual. This may mean going to backup tapes and erasing this information. This raises some questions. How far back? Erasing may be very expensive in practice.  
[3] If a very high probability exists that GDPR-like requirements will be enacted, this becomes obvious.
[4] Keep in mind a decision to withdraw is reversible. Rules may be relaxed, or the US may implement similar ones. At that time, reentry difficulty and costs may be higher or lower.
[5] It is worth noting that communication with EU customers may itself be subject to GDPR rules. So, the sending company could not keep their names and addresses in its databases, including in email, or other electronic form. This is another example of a potential GDPR Catch 22 whereby an attempt to avoid it can itself backfire.
[6] From what we know, the GDPR allowed times for full compliance are too short. 
[7] The issue of when a tourist becomes a resident for GDPR purposes is sure to arise at some point.
[8]Any information that even potentially identifies an individual, a telephone number, email address, job title, or URL can present a problem.
[9] It is unclear if the retention of information on a phone call with an EU citizen/resident is subject to GDPR.
[10] One can imagine that some rogue MNFs may find a jurisdiction outside the EU that will refuse to enforce GDPR. They will move all their EU business to that place and attempt to defy the EU.

Monday, June 4, 2018

Risky Data 3 – Planning & Strategy as GDPR goes live!

By Bill Moran and Rich Ptak

GDPR has gone into effect unleashing a flood of commentary, proposals for solutions, and tons of advice, some very good as well some not so good or even bad. It’s time to discuss planning and strategy for enterprises moving forward.
Image courtesy of European Commission 
As stated earlier, the status of GPDR in non-EU jurisdictions is unclear. Still, it is important to understand it and consider its potential to impact your operations. This is vital because of the highly likely proliferation of GDPR-type regulations. There have been too many violations of people’s private data for the current laissez-faire approach to handling personal data to continue. It is doubtful this will happen tomorrow. It is, however, unrealistic to think it will never happen. Or, that it will occur in some distantly, vague future.

In fact, many companies already are taking action as they anticipate some version of GPDR being at least partially enacted, if not imposed in developed countries including the US. These may be initially presented as recommendations before taking on the form of federal regulations or laws, state laws or some mixture of the two. Current actions include limiting or even completely eliminating EU consumers access to services, publications or products.

In any case, hacker-driven incidents will continue. The risks, full costs and fines of Facebook-type occurrences are far from settled, and similar infractions are distinctly possible. Consumers and organized consumer interest groups can be expected to drive regulatory action by pressuring governments “to do something”.

How to Prepare
The question is what should a small and medium(SME) enterprise without a physical presence in the EU do? The first step is to determine which, if any, enterprise activities and actions will be potentially affected by a GDPR-like regulation. Then, develop a strategy. Here we are going to discuss general steps that all enterprises should take. In our next version of this report, there will be more specifics. None of the following should be considered to be or substitute for professional legal advice. It is intended for guidance and information purposes.

Enterprises need to examine their internal processes to consider how they could be changed or improved to align with GDPR principles. In some cases, this will mean incurring additional significant costs. Therefore, management oversight is critical. Pro-active activities are prudent. Waiting until there is external compulsion usually results in ballooning costs. Planning for necessary changes in advance means work can be done in a non-crisis, phased mode.

Initial action - Security
The first area to address is security. Given the level of criminal attacks, it is common sense to have ongoing efforts in this area. Evidence indicates that most companies have failed to take the threat of criminal hacking seriously enough. Virtually any company would be damaged and thrown into management turmoil if hackers penetrate their systems. Critical payroll data, personal data, and sensitive customer information are all at risk. Consider what happened to Sony when hackers penetrated their email system. That attack might have been North Korean hackers, but the results might have been worse if criminal hackers had been involved. The North Koreans’ apparent incentive was to disclose email contents to embarrass and punish Sony for making a movie that mocked their leader. Criminal hackers would not necessarily disclose the penetration. Instead, they could monetize the information for use in identity theft or other costly criminal purposes.

The prudent course is to begin with a security audit. In some cases, involving an outside consultant would be necessary. However, in many cases, it could be performed by internal auditors at relatively low cost. For example, investigations reveal that many systems operate with default ids and passwords. Critical systems, installed years ago, with these exposures were never corrected. Such security risks can be uncovered and fixed without expensive auditors by using someone with authorized access to the system. Another common problem occurs when the ids and accounts of ex-employees are not deleted. There are numerous other such security violations well documented. The point is to review and assure that proper polices have been implemented to fix such problems and prevent their recurrence.

There is another class of problems that demand more work to detect and fix. For instance, handy tools installed by IT to make their jobs easier might be applied to a criminal purpose in the hands of a hacker. Policies must be developed to avoid this situation. Sometimes, the solution is simple, i.e. removing tools from the system when not in use. In other cases, the tool might be critical for production. In such cases, it might be necessary for ongoing code audits to see that what it is doing is necessary. Anytime new software is installed on a system, it should be verified and checked to avoid introducing rogue code or viruses.

In the Equifax penetration, improperly maintained open source software caused the problem. A maintenance audit can uncover this problem. The institution of a rigorously enforced policy of careful maintenance for operating system, open source and all vendor supplied software, will help avoid the problem. When a vendor announces a flaw in their system (with or without a fix) one can guarantee that hackers are aware of the situation and will begin probing to find systems without the fix installed.

Despite taking all reasonable precautions, an installation might still be penetrated. Studies have shown that companies are very slow in detecting such events. There may be reasonable ways to improve this response. These should be standard practice.  Clearly, once a penetration is detected corrective action should be taken immediately to limit damage.

If immediate detection is impossible or not feasible, full or partial encryption of data can be an alternative solution. The cost and overhead associated with encryption has dropped dramatically recently. It may not always be practical, or financially feasible, but it is worth investigating. As an aside, IBM provides pervasive encryption on mainframe Linux systems. Encryption needs to be evaluated in other environments.

In summary, most IT installations need to tighten their security. GPDR imposes rather severe penalties for disclosing confidential and personal information. It is good practice to take practical steps now. Let’s look at another area of enterprise risk not necessarily as obvious, but one that needs attention, personal data.

Personal data protection 
GDPR privacy legislation intends to give citizens ownership and control of their personal data. This includes: 1) knowledge of what personal data is in a system 2) an ability to correct any errors, 3) ability to remove data, 4) information about when a data breach occurs and what was exposed, 5) ability to review data stored in the past upon request. Such past data might be important in tax, criminal or judicial matters or contract disputes. Consideration has to be given to how the data is protected, stored, and for how long it must be retained. All are a normal part of data storage and archival. GDPR sets some restrictive requirements on how quickly these must be available, and notifications sent. AND, penalties for non-compliance are high.

This raises the question about what happens when data retrieval isn’t possible from the current system. For instance, it has been corrupted in some way. System backups will need to be accessed. For historical data, the storage media is typically on tape.

Here is a cautionary tale from real-life. Several years ago, a colleague of ours started a company to update backup tapes. Old backup tapes were to be converted to CD or DVD format. The processed tapes were from a variety of companies and government agencies. He found that about ¼ (25%) of the tapes were bad. There were spots on the old, open reel tapes that were unreadable.

Unfortunately, the situation was actually somewhat worse. His process would only detect unreadable spots. In addition, there were readable records that were still wrong because they had been corrupted.

This story demonstrates the need to examine the process for controlling backups. This should not surprise anyone. Most of us have had the experience of trying to use a PC backup only to  discover that the backup does not work. Failing to check a backup process, means that a failed process is revealed when most damaging. Most organization have a backup process that periodically ships tapes offsite; then forgets them. GDPR-type regulations mean it is wise to take steps to test  that the backups work, and provide valid information. Addressing these issues will improve current operations while preparing for their critical need when some form of GPDR arrives.

We recognize neither of these issues were covered in great detail. Our goal has been to make the point that these and other areas need to be carefully examined along with privacy policies, data movement, network issues etc. There is a great deal of work to do here.

The likely arrival of GPDR-like regulations ought to make companies review and reconsider their policies in areas involving the acquisition, storage, use and protection of customer data. All of these will be impacted by such regulations. It is foolish to wait until the arrival of regulations that force mandatory change in a limited time period. Such a delay will likely raise the costs of review and remediation as well as risk costly fines for missing deadlines if breach is experienced. Of course, some flexibility is needed since the exact details of such regulation are not known currently.

Many vendors, including Compuware, IBM, Microsoft, HPE, BMC etc. are offering services and solutions (partial or comprehensive) that include process review definition, evaluation and planning services. Most recognize the need for implementation flexibility and openness to allow for advances in technology and regulatory changes. Be sure to verify this if you decide to employ a partner in your effort. Whatever you do, remember regulatory details will change and you must be able to adapt.

By starting today, enterprises and companies will have adequate time to study this issue and determine the best way forward. Finally, we are convinced there is no reasonable excuse to delay or wait for regulations to take steps to strengthen existing security. For most, there is much work to do. The best thing is to get started now.

In the next edition of this report we will discuss specific steps that companies without a physical presence in the European Union need to take to steer clear of being entrapped in the GPDR web.

Publication Date: June 4, 2018
This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC.  

To obtain reprint rights contact 

All trademarks are the property of their respective owners.

While every care has been taken during the preparation of this document to ensure accurate information, the publishers cannot accept responsibility for any errors or omissions.  Hyperlinks included in this paper were available at publication time.

Monday, May 21, 2018

Risky Data 2: GDPR outside the EU

Image courtesy of the European Commission
This is the second in our series examining the impact of GDPR outside the European Union. GDPR (General Data Protection Regulations) is the new privacy law enacted by the European Union that becomes effective May 25, 2018.

The law attempts to enforce an individual’s ownership rights of their personal data. It includes provisions to protect the use of any individual’s data that is collected by an enterprise and/or shared with business partners, etc.

It includes significant control over and restrictions on what can be done with such data without specific permission of the owner. In addition, because of the risk of exposure of private data by ‘bad actors’, it imposes very tight deadlines on reporting exposure of such data, along with severe penalties for violating GDPR provisions. 

As a result, the details of the act become very important. As with any very large, broadly targeted and comprehensive law created by a large bureaucracy, there are certain to be unintended consequences along with the intended consequences of the provisions. GDPR covers procedures for obtaining permissions for data use. There are deadlines set for reporting of data theft, data breaches, loss of control, etc. In this piece, we examine some of those details and the risks entailed as a result.

Areas of Uncertainty

Given the size of the task, it is not so surprising that many areas exist in GPDR regulation requirements that are unclear, lacking in detail, or remain undecided. For example, there exists no clear explanation about how the regulations will function in practice. Also lacking are any hints of what operational changes will have to be implemented during the first several years as the regulation begins to take effect. It is normal to have some timeline and specifics provided to help guide and facilitate implementation efforts.

As an example, in many enterprises, while there are management and audit groups that set policy, it is IT operations that has direct responsibility for the implementation details and activities involved in data collection, storage and management. Therefore, GPDR-related implementation will have a profound effect on IT operations. Operations managers should be aware of areas of concern.

As mentioned in the first article, explicit permission is required for collection and use of data. For minors, either the parents or a legal guardian must consent. That requirement alone can have severe problems in implementation, both practical and legal. What will be the process to contact the parents for consent? If you rely on the child to involve the parents, will they tell the truth? Will they identify someone else, who they know will give permission? What restrictions exist about the data that can be requested?

Another area that comes to mind concerns the GPDR-set reporting deadlines in response to violations or permissions. For example, the time limits set for responding to queries for access to personal data, or for alerting and acting on data access breaches appear unrealistic[1]. They will have to be adjusted as companies fail to meet them. We know from experience that planners seldom anticipate the full consequences of their dictates, nor are they good at estimating the cost and time required to comply with their dictates. Only experience reveals the unintended results. It is reasonable to assume many of the GDPR proposed changes will be revised or radically altered, even eliminated, as actual experiences at applying the rules accumulate.

However, it is not clear how significantly nor how quickly any such adjustment will be made. Nor, is there a guarantee how infractions will be treated in the interim.   

Each country within the EU will have its own GPDR authority. This raises a host of questions. Germany, for example, has historically been the strictest enforcer/protector of data privacy. Applying restrictions and punishing violations much more vigorously than other countries. We don’t expect any change in their positions.

Additionally, will large companies be able to shop around the EU to identify the country with the laxest enforcement policies? This is exactly what happened with corporate tax legislation and enforcement. Companies arranged business accounting, manufacturing and delivery processes to minimize tax liabilities. By implementing complex transaction processes, companies were able to greatly reduce taxes paid. As would be expected, enterprises would include careful consideration of country’s taxation policies when making large scale investment and job creation decisions. Will it be possible to do the same with GPDR?

The way actual fines will be determined is not specified. Will the countries differ in calculation formulas? For example, how would the fine be calculated if the data on 500 people is stolen? Does that count as one infringement, or 500?

Strict reading of GDPR means that American companies, including those that have no physical presence in the EU could be subject to the EU’s worldwide scope if they have personal data on any EU citizen or resident in their system. Presumably, the EU would need the local courts to agree to enforce penalties on these companies. How will that work? Will enterprises have to wait for such a case to reach the US Supreme Court to find out the answer? Or, will it become an issue in trade negotiations? To date, there have been no public announcements, or, as far as we know, no discussions. Nevertheless, it is reasonable to assume the US will enter any such negotiation with its own interests in mind. 

What will be the effect of Brexit on the GPDR? Since the UK is leaving the EU, it would seem that the EU mechanism for enforcing GPDR will not apply to the UK. Will the UK decide to make GPDR a part of its law? If so, will the UK make changes in the version of GPDR that it adopts? If they do, how will it differ? In scope? In fines? In restrictions? Will UK enforcement be similar to or radically different from enforcement in the EU? If not, how will it differ?  Presumably, at least some of these questions will be answered as the UK prepares its exit from the EU.

Finally, the GPDR may be tied up in the European courts for some undetermined period as soon as some of the rules are enforced. And, it is likely that it will be challenged in this way. This may also happen in the UK if Britain leaves the commercial trading jurisdiction of the EU as they exit the EU community.

In sum, there are numerous areas of uncertainty surrounding GPDR. Only experience and time will provide definitive answers. In the meantime, it is wise to determine the potential for GDPR to impact your operations. If it is significant, you will need a strategy to prepare for it. Our next installment will examine issues about that potential, as well as what should be considered in developing such a strategy.

This document is subject to copyright.  No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC. 

To obtain reprint rights contact

[1] There are studies that show current response times are on the order of weeks rather than the days required by GPDR rules. Of course, that might not be relevant if response times can be adjusted downward under the pressure of the new rules.