Carson argues that firms consistently struggle to submit breach information to law enforcement, even after several months. Further complexity is added to breach notification due to confusion in the market about who is, or is not, a qualifying EU resident. Some companies are skirting this by ensuring they are compliant for all customers, not just the ones who may fall under GDPR jurisdiction.
Some companies have speculated that a simple way to be compliant, regardless of fuzzy national status definitions, is to simply process all data in Europe for customers who could be EU residents.
"Many people mistakenly believe [this], but nothing can be farther from the truth," said Fortanix's Kumar. "You need to follow the same process irrespective of where the data is processed."
Joseph Carson, chief security scientist at Thycotic
Yet another layer of complexity -- relationships with third-party suppliers -- further muddies the waters. Contractors are often obliged to keep a firm's data safe, and this situation could prove a flashpoint between the US and the EU.
"US companies undoubtedly have many third-party relationships, but there is presently no easy way to [comply] with this using technology," said Allure's Stolfo. "Managing a third party's networks is impossible... and that third-party risk will ultimately cause a clash between EU GDPR regulators and US contract law."
Furthermore, it's been suggested that the US struggles with the quality and quantity of material disclosed after a breach due to weak federal security disclosure laws. This prevents companies from learning from each other's mistakes.
"Companies that experience security breaches must provide transparency into how the attack happened, why defenses failed and what we must do to better avoid such breaches in the future," said Alert Logic's Govshteyn. "Today, disclosure laws vary by state, and this has done little to resolve the disclosure problem for companies that operate nationally or internationally."
Technology or process?
Enterprises are in the process of defining which technologies can be their best ally for GDPR compliance. Challenges include accessing, consolidating and exposing data to make it easily searchable, managing it through its lifecycle, and making it deletable upon request.
Such a request from a private citizen, known as the "right to be forgotten," is particularly tricky because data can be encrypted at rest, in transit and also during runtime.
"The simplest way to meet these requirements is to encrypt all the user data with a single key and then centrally manage the key," Kumar said. "When the user requests deletion of their data, organizations can [just] delete the key." That's providing the data can even be located, or can be reclaimed if it's lost in a breach.
One new technology, which requires "beaconization" of all data, helps owners track its journey if it leaves the network either lawfully or though malicious action. Then, there are the magnetic tapes and floppy disks of yesteryear to find, too.
"Just the act of finding all of the data to be forgotten is not trivial," said Allure's Stolfo. "Will a company have to maintain a copy of the deleted records to prove that they have indeed made best efforts to delete it all?"
Forrester says the adoption of security controls such as encryption and tokenization, as well as acquiring controls for network security, are at the top of the enterprise list of GDPR-related priorities. Ianopollo believes, though, that firms anxious for compliance are burdening technology with the compliance task at the risk of retaining unhelpful internal processes.
"As a result, firms are neglecting requirements that hinge more heavily on processes, such as managing data subject rights and consent management," she said.
And what of the citizen at the heart of GDPR's protections? Should we expect less stories in the press about big corporations' failure to protect their customers now there will be enforceable financial penalties? Will the person on the street see an immediate benefit from tighter vigilance and management of their personal information?
"The average EU citizen has no idea about the new privacy rights they will be entitled to," said Thycotic's Carson. "Only lawyers, governments, security researchers or companies who process or collect a vast amount of personal data, or solution providers have any idea what GDPR is. Most citizens have no clue."
— Simon Marshall, Technology Journalist, special to Security Now