EU regulators report a sharp rise in complaints post-GDPR



EU regulators report a sharp rise in complaints post-GDPR

The number of complaints that GDPR regulators are reporting has sharply increased over the past few weeks since the legislation came into effect. The greater degree of data transparency the law offers comes as a welcome change to the previous antiquated data protection laws. The duty of care now rests firmly on the shoulders of data processors and organisations to exercise more careful data management practises.

Across Europe, organisations have been endeavouring to tick the boxes for GDPR compliance, some simply for the sake of seeming to strive for compliance. However, looking as though you are merely trying may not be good enough for the stringent regulators. The time has come for data processors to answer for their shortcomings. Data has been described as ‘the new oil’, insinuating that is has become a commodity of great commercial value. With this in mind, the idea that it be treated with less prudence in its storage and management becomes equally unacceptable. A bank that safeguards money does not flippantly disregard the safety of its currency and under GDPR, organisations are no longer permitted to be so negligent with personal data.

“Data has been described as the new oil”

Consider for a moment the prospect of a large-scale bank robbery in which a large magnitude of currency was stolen, resulting in a huge backlash to the bank for not taking the correct security measures to avoid it. The customers of the bank would demand their money to be returned to them with a guarantee that this would not happen again.

Taking the concept that personal data as a commodity with intrinsic financial value, a data breach could be viewed as a kind of data bank robbery. A theft which previously would have gone without any restitution for its victims.

Data Privacy

Data Privacy

The GDPR has changed this lack of protection for data subjects for the better. Holding organisations that store EU citizens data accountable for the security and careful management of this salient personal information.

A large number of the complaints that EU regulators have received stands testament to the willingness of EU citizens to embrace the new data privacy laws. The organisations that carelessly allow sensitive personal data to be lost are being held to account by those they have failed, the victims of EU data crime now have a platform to voice their concerns with the backup of European regulators.

The GDPR shepherds in a new era of data privacy law that offers much greater protection for EU citizens and their data. Holding organisations responsible for the data they use. With the number of complaints being reported still steadily rising, it is only a matter of time until organisations take note and achieve full compliance by changing the way in which they process EU citizen data, for the better.

What will be the GDPR’s impact on Brexit?

GDPRs impact in Brexit

GDPR’s impact in Brexit


Personal data has become the new commodity in our digital economy. In the past, companies have gathered huge amounts of personal data about people, in an attempt to influence their buying decisions on certain brands and products. We have seen from recent scandals, such as that of Facebook and Cambridge Analytica, that our personal data can be manipulated to influence people’s opinions on world events through to their voting decisions. There seems to be no end to the level people will go to in order to push an agenda. This only increases the value of personal data to those threat actors who are desperate to get hold of it at any cost.

‘Personal data is the new commodity of the digital economy’

GDPR has now become law and with it, comes more stringent requirements for companies to adhere to, in order to protect personal data of EU citizens. However, in parallel, with Brexit scheduled to go into effect in March 2019, there is some uncertainty within the business community about whether or not the UK’s own privacy law will give EU citizens the same level of protection they currently enjoy under GDPR.

Up until the time when Brexit comes into effect, the UK is still part of the EU. Therefore, when businesses are transferring personal data across borders, they currently have the GDPR as protection. But, what happens after the UK leave? How is that data going to be protected? There appears to be no clear strategy for the protection of data on the Brexit Agreement during or after the two-year transition period.

What does this mean for businesses who rely on the flow of personal information with the EU and UK? EU companies now have a new standard and have gone through a rigorous change in their policies and procedures to make sure they are compliant. Now they will be faced with a new set of problems and headaches to resolve before customers lose faith and move their business elsewhere.

As you can imagine the EU is not happy with the UK’s decision to leave the EU and as such, the EU Commission published a Notice to Stakeholders, confirming the UK will be post-Brexit classified as a third country. What does this mean for companies who deal with them and transfer personal data? Well, it means, unless the UK-based company has very strict conditions and contracts in place regarding the protection of personal data and specifically the transfer of that data cross-border; similar to the US-EU Privacy Shield already in place for US transfers to the EU; then UK companies could potentially lose out. This has many repercussions for UK businesses long-term.

With the UK introducing the new Data Protection Bill, it is attempting to align their legislation with that of the EU’s GDPR. So, when Brexit does become a reality, there are robust measures in place for the protection of personal data.

However, until Brexit does come into effect, we will not know for certain what measures will be in place. Until then, the UK remains in the EU and its data protection laws are aligned to GDPR. What we would suggest, is to understand how your company may be impacted by Brexit and start making preparations for the challenges that lie ahead.


How Canada is being impacted by GDPR

How Canada is being impacted by GDPR



GDPR is now firmly implemented across the EU and although the new law only affects its citizen’s data, the impact of the law is being felt worldwide. If you are an organisation that offers goods or services to EU citizens, you are now expected to comply with GDPR, even if you do not have a physical presence there. Therefore, Canadian businesses who collect and process personal data from the EU should ensure that they are compliant with the regulation.

The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that came into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries. It gives greater protection and rights to individuals and is the biggest change to European Data privacy laws in over 20 years.

If you do business with customers or clients in the EU, by law you have to be compliant with GDPR. If you fail to comply, you will face heavy fines. To understand what these check out our GDPR Infographic – Non-Compliance and Penalties here.

If you are not currently doing business in Europe, adopting the GDPR guidelines is a positive step forward for all businesses. The reason for this is that internet businesses operate on the global stage and it will be easier to update terms and conditions on your website to meet the most stringent requirements across all the countries you operate in, instead of having separate policies for separate countries or regions.  

Simple steps to help you with GDPR

Create a list

Create a list detailing all the places online where you ask people for personal identifiable information. The best place to start is your website. Do you ask them for their names, email addresses or credit card information? Then look at any online forms or sales funnels, comment collection boxes, any email marketing sign-ups or e-commerce points are all potential collection points to take into consideration.

Moving on from the collection points, you need to think about where you are storing this information. Your CRM database or email marketing lists that contain a high volume of sensitive data. You need to ask yourself, did we get permission to collect this information in the first place? Have they given us their explicit consent? You will need to keep a record of that consent given to use in sales and marketing campaigns? The Canadian Anti-Spam Law allows companies to market to customers for up to two years after they have received implied consent. Whereas GDPR is explicit consent only.

How do you track website visitors?

Businesses use tracking tools such as cookies, web beacons or pixels to allow the web browser to remember information about the website visitors browsing session. Information about what device they used, their location and what pages they have visited. This information is PII data and as such you will have to inform visitors from the EU.   

GDPR states that it is not enough to have passive consent for the use of cookies. Websites are now creating pop-ups with a warning for visitors that cookies are in use on the site, “If you continue to this website, you agree to our terms and conditions”. This allows the visitor the option to disable the cookie in their browser or they can leave the site if they do not want to be tracked.

Update your privacy plan

As soon as you understand what PII you are collecting and where it is coming from, you can move on to the next stage. You need to create a detailed plan to protect that data and keep it secure from potential cyber threats. There is also a clear need to be able to keep it safe, share that private information or delete it if it’s requested through a SAR or a Right to Erasure. Also, to meet the requirements under GDPR if you were to suffer a data breach you would have to put measures in place to report it to the regulators and the data subject.

The creation of new plans will need to be communicated throughout the organization. New procedures and processes may need to be rolled out to make employees aware of how to handle the sensitive information and make sure they are aware of what the privacy policies are. Depending on your level of data collection your organization may need to appoint a Data Protection Officer (DPO). 

Clearly State your Privacy Policy

After you have completed all of the above and you have a new privacy policy, it will need to be prominently displayed on your website. Create a separate page on your site and link the privacy policy to your sitemap or page footer so it can be easily referenced. The GDPR mandates the policy be written in easily readable language and be clear and concise in informing visitors what information you intend to collect, how you intend to collect it, why its necessary to collect it and how you intend to secure it. It also needs to outline if the data is ever shared with third parties and how someone can get in touch with you to accesses the data you have stored on them to request access to it or delete it.

As the privacy landscape continues to change worldwide and in Canada, businesses need to keep abreast of their data privacy policies and their impact.


How will the GDPR impact Asia-Pacific-based companies?



How will GDPR impact APAC companies?

GDPR is now law. EU companies have had two years to prepare for it, but what is the cross-continental impact on companies based in APAC? The GDPR is the biggest shift in data protection and privacy in the last 20 years so even an Asia-Pacific -based company may have to comply even if it’s not physically based in Europe. The new rights given to EU citizens means any company who markets, stores or collects PII from an EU citizen based in the EU has to comply with GDPR.

A lot has been discussed what will happen to companies who fail to comply with the new GDPR legislation. For the first time, they face unprecedented risk and sizable penalties for major data breaches – up to 20 Million Euro or 4% of global turnover, whichever is higher. This is only half the story, however.

Companies that operate outside of the EU could find themselves caught out by GDPR with the new reach of the data protection laws. GDPR will apply to your company if you provide services into the EU or you obtain personal sensitive information of an EU citizen and transfer it outside of the EU. There are now rules around consent, how you obtain it and an EU citizen has to give you clear and explicit consent to you use their data for a specific reason.  

Fines, fines and more fines! It’s not just the fines you need to be wary of. The reputational damage to your brand could ultimately far outweigh any penalty. Understanding how the 72-hour breach notification procedure to the regulator and the EU data subject works, along with the additional effect it will have on your business, has to be taken into consideration.

Some key features of GDPR for APAC companies to consider

How personal data is collected

If you are an Asia Pacific-based company without a physical presence in the EU, you can still be affected by the new GDPR if you target EU citizens and collect their personal data online. Your collection points through your website, apps or forms need to be GDPR compliant.  

Regulatory risk

With the increased risk of regulatory scrutiny and possible fines, businesses need to have higher data security provisions set out and procedures in place to support GDPR compliance. More importantly, if you fail to convince your customers of your GDPR compliance, you may lose business to competitors.

72-hour breach notification

All personal data breaches must now be reported to the regulator and the data subjects within 72-hours of suffering the breach. In order to prepare for this, your business will need to re-evaluate the processes, procedures and put new systems in place to develop a strategy to meet the new requirements.

Data transfers to a non-EU country

Under GDPR, data controllers are no longer allowed to use their own views on if the security transfer protocols currently in place are adequate. In particular, they need to address Article 46, where personal data is transferred from the EU to a third-party country or to an international organisation, the data subject shall have the right to be informed or the appropriate safeguards relating to the transfer.

Security by design

Under GDPR, companies need to build privacy-by-design into their systems and data processing activities. Specific impact assessments will need to be carried out for all new technology. It must be able to comply with GDPR, for example, the Right to Access, Rectify and Erase their data.

Reputation is key

The financial and reputational impact of GDPR has to be a board level issue. The new requirements for reporting breaches and updating the regulator creates a new element of risk. Delay in reporting and providing notice has created significant negative publicity in recent breaches.

What does the current data privacy legislation look like in APAC?

There is no similar agreement on data protection in the Asia Pacific region that unifies the laws across the region. However, some countries such as Australia, New Zealand and Hong Kong, have laws in place that cover both the private and public sectors. China, Vietnam, Singapore and Malaysia have laws that exempt the public sector and the Philippines has laws specific to the handling of citizens and non-citizen data. In general, laws are territorial and not extrajudicial as is the GDPR.

Could we see something similar to GDPR in APAC?

The Asia-Pacific Economic Cooperation (APEC) Cross-Border Rules System (CPBRS) requires businesses to implement data privacy policies consistent with the APEC Privacy framework. This is a clear attempt to harmonise rules of data privacy. It hopes to build consumer and business trust in cross-border flows of personal information.

In February this year, the Singapore Personal Data Protection Commission published its publicly collected feedback which is going to align the regulations with the provisions set out under the new GDPR legislation, including the data breach notification requirement.

It could be some time before we see a unified law across APAC, but steps are certainly being taken to improve privacy laws across the region.

GDPR Could Be The Best Thing To Happen To Marketers In 2018



GDPR Could Be The Best Thing To Happen To Marketers In 2018

Now that the deadline for the new GDPR has come and gone, what we witnessed was a barrage of inbox messages to our email accounts, as well as text messages to our ever-present smartphones. The messages ranged from last minute emails to the straight up, all-out legal breakdown on the change to their privacy policy. This has left us, as marketers, feeling a little bit exposed, hoping all of our customers would click agree so we could breathe a sigh of relief.

We all made decisions on which brands and companies we wanted to opt-in with and some just didn’t make the final cut. We also had some brands appear where we couldn’t even remember why we signed up with them in the first place?!

We decided to ask Ground Labs’ own Marketing Manager, Matt Jennings-Temple, to give us his expert opinion on why he thinks this privacy policy reset is so good for marketers.

Below he has given his top four points:

“Don’t forget how important your customers are!”

GDPR has brought companies focus back to the customer, as they are now the ones in the driving seat. How you market your brand, what it stands for and what value you bring to them will shape your organisation’s future. This positive change in the law will force alignment across multiple departments such as IT, Finance, Marketing and Sales in how they collect and store customer information.

“Always look to add value”

We as marketers understand that, in order to get our message across to potential and existing customers, we have to use multiple channels and touchpoints. At each of these points you will be collecting data, but under the new GDPR rules, you can no longer collect it without a specific use or purpose to store it. What GDPR does is force marketers to derive value from the data that is collected and pass that through to the business – the risk of not doing this is too great.

“It’s not like you’re starting from scratch”

Do you remember when you last looked in your CRM and saw thousands and in some cases millions of customers’ details? Unfortunately, you are going to have to let them disappear.

Matt says, “Marketers need to see the positive side to this. Now your customer data has been laid bare, you know exactly what data you have and you can focus your attention on quality customer interaction for maximum benefit to the business.”

“It’s GDPR day every day from here on in”

It may seem like you’re scrambling around trying to market your business post-GDPR deadline, but the truth is, some companies will relish the challenge and succeed in this new era of data privacy. You have to ask yourself, do you want to be one of them that fails. or one that has a forward-focused customer plan that rivals your competition?

Look out for future blogs on Ground Labs very own GDPR journey.

Real business strategies for GDPR implementation

A business strategy for GDPR

A business strategy for GDPR

Now that the GDPR has finally arrived, organisations must take the appropriate steps to ensure that they know where their sensitive data resides. The duty of care now rests fully on the business to meet the requirements of compliance. In this video, John Cassidy, Ground Lab’s Global sales leader gives a comprehensive presentation on the best strategies to help organisations deal with the GDPR.

Organisations that store personal data of any kind must report data breaches to the affected parties within 72 hours, fulfil Subject Access Requests within 30 days and in addition, execute requests for the deletion of stored personal information (The Right to be Forgotten). The activities highlighted above are now essential for organisations to fulfil in order to achieve GDPR compliance. However, achieving and maintaining compliance are two different tasks.

The GDPR has evolved from outdated data protection laws and now adds updated and unified data security features. The symbiosis of many data protection ideals has grown into one another to create a welcome step forward for data transparency in the European Union. With personal data becoming an attractive target for hackers looking to sell it on the dark web to the highest bidder, the new updated data protection laws have been widely welcomed by industry. With high profile scandals such as the Facebook and Cambridge Analytica incident becoming more and more frequent, the new EU law provides some solace for citizens who are concerned about the fate of their personal data.

Data Transparency

Data Transparency

John Cassidy suggests that the best way for organisations to achieve GDPR compliance is for all departments to act in unison. There is a common view that the IT department should be responsible for GDPR protocols but this simply cannot be the case because compliance, once achieved, must become common practice. The IT department, for example, cannot be expected to manage the data of Sales, Marketing and Finance. Inter-departmental cooperation is necessary to avoid data stagnation and to make certain that GDPR compliance activities become a regular part of day-to-day business practises. With all departments working together to manage the flow of information, the organisation as a whole will find itself functioning comfortably within GDPR compliant parameters.

There are no quick fixes for GDPR compliance. Continuous monitoring is the only way to stay within the boundaries of the new legislation and not break the law. In cases where companies are processing large volumes of data each day, the duty of care falls on them to make sure that effective systems are in place to monitor and manage the information. If a GDPR regulator performs an audit and finds a myriad of sensitive personal data cast carelessly into a recycling bin and forgotten or old sensitive information left archived on a disused database, they will not hesitate to penalise.

Cost of GDPR

Cost of GDPR

A commonly held thought by individuals within the data processing industry is that a data tsunami is coming. And with the GDPR now in full effect, that time has never been closer. Organisations must take care in case they fall victim to a massive data breach that could prove extremely costly, both in terms of finance and reputation.

Wherever sensitive data is being stored, it is imperative that organisations keep it in an easily accessible and carefully organised way in order to deal with any compliance related queries in a timely manner.

Organisations that follow this best practice guide for regularised compliance activities and adopt the habit of interdepartmental concurrence will find that GDPR compliance will become a part of their daily business. With this, the process of dealing with the GDPR will be smooth and easy, and all consequences of non-compliance will be avoided as a matter of course. Ultimately the GDPR is about promoting data governance in organisations so consequently organisations that make compliance a part of their usual practises can rest easy in the knowledge that they are up to standard.

To watch the full video please click here

GDPR discussion – what are the implications of the new EU law?

GDPR Discussion - Implications of the GDPR

GDPR Discussion – Implications of the GDPR

Summary: Over 80% of EU business classify themselves as not being ready for GDPR, now its law what are they doing to become ready and compliant? This blog is taken from our recent GDPR video discussion series where Ground Lab’s Global Sales Leader, John Cassidy talks about the implications of GDPR and what he thinks companies need to do now. Watch the Youtube video here.

Is EU business ready for GDPR?

The views in the industry are that 80% of businesses were not ready for GDPR. Either not prepared or took the opinion that they would wait and see how the market and their competitors reacted to it. This could be seen as a risky strategy when you have multiple stakeholders who are concerned about the reputation or on-going well being of the business. Businesses have had 2 years to prepare for it. They have had no excuses for not being ready in time.

Is it too late to start your GDPR compliance journey?

Its never too late to start your compliance journey. In the event of a cyber instance or data breach, the regulator will audit you looking for an explanation from your DPO as to how it happened and the steps that were taken to comply. Doing nothing is not something your customers or stakeholders want to hear. So its never too late to start your process and every company has to start somewhere, but the overriding message from industry experts as well as Ground Labs is to start doing something as soon as possible.

“Its never too late to start”

How can companies ensure they are GDPR complaint?

No longer is it acceptable to run yearly audits for compliance. Businesses need to start looking at the ever-present threat of cybercrime and how it impacts the business. Processes and procedures have to be put in place to educate and create awareness of GDPR. An important factor is this is to enable the ongoing monitoring of the sensitive data to understand what you have and where it is. Ground Labs feels we are part of the solution.

Watch the Youtube video here.


Post-GDPR – whats your business-as-usual tool?

GDPR is here

GDPR is here!

GDPR is here!

The GDPR deadline has now come and gone and we are all still here! Now as the dust settles in the business community, the realisation that organisations are now fully responsible for all the data they store on EU citizens has hit home. The law has the power to enforce data liability upon all organisations within and outside the European Union who hold any personal data belonging to an EU citizen, basically speaking, GDPR is real!

GDPR is real – are you ready?

What we will see over the coming days, months and weeks is that the potential cost of GDPR compliance to your organisation will massively outweigh the cost of non-compliance.

What is really important for all organisations is to understand the implications of the law and how it will affect them directly. Understanding how the organisation collects, stores and processes that data now falls on them to have policies and procedures in place to manage it correctly, in the case of a Subject Access Request or the Right to be Forgotten.

Understand the implications

The GDPR regulators will examine any organisations that are found to be non-compliant or who have not made a reasonable effort towards becoming compliant. Those organisations that are found guilty will be heavily punished.

The fines associated with non-compliance only serve as half of the potential negative consequences. Organisations that have not taken the appropriate steps may find themselves in a costly and potentially devastating public relations nightmare if they must defend their case against regulators in a court of law. The potential for damage to an organisation’s reputation could prove to be far more costly than the substantial fines that breaking the law might result in. Customers could choose to abandon an organisation that has not taken measures to ensure the security of their data.

What would the negative effect be on your brand?

In fact, this kind of negative publicity could even cause customers to lose faith in the organisation. Bad press coupled with the hefty fine could cause many businesses to crumble under the pressure.

The new EU initiative allows organisations to move towards complete data transparency is a welcome change to previous antiquated data protection laws.

Because after all, who will trust a brand that does not have the best interests of their customers in mind?

GDPR and “Opting-Out” for Good

GDPR -Opt-Out

GDPR -Opt-Out


The internet serves as an excellent method of keeping up to date with news, products and current events. Occasionally you may be asked if you would like to subscribe to a mailing list or if you would like to become a recipient of a serial newsletter. This can be useful if you have a genuine interest in the subject matter and wish to keep up to date with their offering. However, from time to time these lists can become troublesome and constantly inundate your mailbox with irrelevant and annoying spam. When this happens you find yourself asking:

“Can I opt-out?”

When you choose to subscribe to an online mailing list, you usually have the option to “opt-out”, meaning that you can request to be removed from the mailing list and will no longer receive the unwanted correspondences.

If the company is reputable and offers a genuine advantage to being a subscriber to their lists, such as special reduced prices or useful information, then it might be worth handing over your email address.

Who do you trust with your email address? 


But there is always the chance that you will be added to a list that becomes a target for a cascade of irritating spam emails.

Most people choose the option to “opt-out” when these spam emails begin to clog up their inboxes and this puts a halt to the spam problem. However, it is a little-known fact that if you do indeed choose to “opt-out”, you may have shuffled free of the constant spam emails but your personal data may remain in the list owner’s database.

In many cases, these mailing list holders retain your personal information and continue to circulate it recklessly. The GDPR will prevent these list holders from retaining subscriber’s personal data once they have elected to “opt-out”.

“GDPR gives you greater control of your personal data”


When the GDPR comes into law on the 25th of May 2018, these mailing list holders will be held accountable to fully delete and not retain any personal data that was requested under the Right to be Forgotten mandate, to be removed by subscribers that have “opted-out”. Organisations that rely on users personal data will need to make certain they have the correct solutions in place in order to deal with the incoming regulation. There are few solutions available that are as effective at dealing with Sensitive Data Discovery as Enterprise Recon. This tool was designed specifically to discover, monitor and remediate sensitive data within an organisation’s data storage environment, making it the ideal choice for adhering to data security standards.

With this new regulation being brought in by the European Union, people now have control over their personal information and how it can be used and who knows, is this the beginning of the end for spam emailing?

Meeting the General Data Protection Regulation with Ground Labs

GDPR Compliance

GDPR Compliance

Meeting the General Data Protection Regulation with Ground Labs

The relationship between an organisation and their customer is important, the customer must trust that the data they share with an organisation is being managed responsibly.

When an organisation is responsible for managing large quantities of their customer’s data, they must ensure that every care is taken to ensure that this data is secure. If a breach occurs and this data is lost, the company’s reputation may suffer, but more importantly, the customer loses faith in the business they once trusted. They feel cheated because the company did not exercise due care to ensure that it was safe.

“Discover – Identify personal data and where it resides”

With the new GDPR policy coming into force on the 25th of May, it is time for companies to ensure that they put effective systems in place in order to deal with any data queries they are responsible for.

When a customer calls upon an organisation to show them all of the data that the organisation is storing that belongs to them, this is called a Subject Access Request. The duty to answer this request falls upon the organisation and will be enforced under GDPR legislation. Failure to adhere to this request could result in the company being fined up 4% of their global annual turnover or €20 million, whichever sum is greater.

“Monitor – establish security controls to detect and respond to requests and data breaches”

Subject access requests can be an onerous task for businesses that do not have the correct systems in place for dealing with such an appeal. Scanning once is simply not a plan of action for any company that is looking to comply with GDPR on a long-term basis. Systems and processes need to be implemented from the CEO down to deal with GDPR, but what do you do once the data has been found?

“Remediate – giving you real-time access to take affirmative action on sensitive data”

Very few products are as effective at finding and securing sensitive data as Ground Labs with our flagship product: Enterprise Recon. Customers are using Enterprise Recon to find and remediate their stored sensitive data. The solution is pre-configured with over 200+ sensitive data types but also gives the user the ability to add their own custom data types to scan for, which is an invaluable tool when dealing with GDPR Subject Access Requests and subsequently provides a platform to fulfil the right to erasure requests.

GDPR is happening now so don’t become the next headline, get ready with Enterprise Recon.

To learn more about how we find sensitive data or would like a live product demonstration please visit