GDPR news: GDPR turns six months old
Experts say businesses still have a way to go before they reach compliance
29/10/18: Portuguese hospital hit with 400,000 fine for two GDPR violations
The Portuguese data watchdog applied a 400,000 fine on a Portuguese hospital in July for two violations of the EU's General Data Protection Regulation (GDPR).
The Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital had granted nine social workers access to patients' clinical data, while 985 users were registered for doctor-level access despite only 296 physicians working at the hospital.
The hospital is appealing the fine, issued on 17 July but not publicly announced at the time, and may even launch a judicial challenge, according to Portuguese publication Publico.
Two separate penalties were imposed after the data watchdog inspected the hospital in early July, with a 300,000 fine applied for failing to respect patient confidentiality, and limiting inappropriate access to patient data. The second fine of 100,000 was imposed for the hospital's inability to ensure the integrity of data security in their system.
"The Centro Hospitalar Barreiro Montijo (CHBM) does not follow the assumptions and understanding of the National Data Protection Commission (CNPD) on this matter," the hospital's board of directors said. "We are currently preparing a judicial challenge."
The regulator explained that an audit showed a test profile on the hospital's system granted "unrestricted" access to clinical data for patients.
According to the CNPD the hospital acknowledged the existence of unused profiles on the system, but said they were "temporary profiles" for doctors working on a contractual basis.
The fine represents one of the first publicly-announced GDPR fines issued since the regulations came into force on 25 May this year.
The figure is small against the 20 million (or 4% of global annual turnover) maximum that can be levied against an organisation, but indicates regulators may take a measured approach to enforcing GDPR.
24/09/2018: AggregateIQ hit with ICO's first GDPR enforcement notice
AggregateIQ (AIQ) is the first company facing a potential fine by the Information Commissioner's Office (ICO) for GDPR non-compliance.
An enforcement notice sent in July said the firm must stop processing the personal data of UK or EU citizens obtained from political groups, or face a heavy financial penalty. AIQ has chosen to appeal this notice.
According to Cambridge Analytica whistle-blower Chris Whylie, AIQ used data obtained by Cambridge Analytica to build an app that targeted Republican voters in the 2016 US election.
It ran a similar campaign during the Brexit Referendum where it was paid 2.7m by the Vote Leave and BeLeave campaigns and reportedly was involved in political actions in Northern Ireland.
Although all of these relate to pre-GDPR activity, the ICO said the company doesn't seem to have changed its practices since GDPR came into force in May and so it's now investigating how the company is collecting and processing data.
The company is denying any involvement with Cambridge Analytica and Facebook, saying its processes of collecting data are completely transparent.
"AggregateIQ has never been and is not a part of Cambridge Analytica or SCL. Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ," the company said in a statement.
"AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica."
Although the enforcement notice was issued two months ago, it only emerged publicly in the last few days.
The Canadian company was given 30 days to audit its processes before the ICO fined the firm up to 17 million, or 4% of the company's annual global turnover, whichever is higher. But this timetable is suspended pending an appeal being heard.
14/09/2018: Just a third of companies are complying with subject access requests
The majority of companies around the world are failing to fulfill subject access requests (SARs) in time - contravening one of the most important provisions boosted under GDPR.
Under Articles 15 and 20 of the new data protection laws organisations must return the information they hold on a user or customer on request within one month. But research shows just 35% of EU-based companies are fulfilling SARs within the legal timeframe, which is also true for 50% of companies based outside of Europe.
The findings by cloud and data firm Talend are especially concerning given SARs are not a fresh provision under GDPR, rather the new regulations, which came into force on 25 May, simply reduced the window from 40 calendar days to 30.
"GDPR requires insight into company data and its governance," said research director at 451 Research Penny Jones.
"Recent research, including that done by Talend and separate reports by 451 Research, has found that while many organizations understand the importance of GDPR, many are still not taking their data seriously in terms of the technologies and processes they have in place.
"As a result, many businesses are falling short of their GDPR obligations. They can lack the proper methods for storing, organizing or retrieving data in line with the regulation's requirements."
Talend conducted market research between June and September with 103 companies operating in Europe, of which 70% were EU-based and the remainder based elsewhere.
Retailers performed the worst, with 76% failing to return information within the 30-day limit, while financial services firms, which performed the best, still only managed a 50% success rate.
Of companies complying with the provision, 65% responded within ten days, while the average response time was 21 days.
The company also found businesses which began life offline, and thus have to contend with legacy systems, were more sluggish to respond.
Meanwhile streaming services, mobile banking and tech companies generally responded within one day, suggesting "digital services companies are more agile" when it comes to compliance.
"GDPR presents an opportunity to engage with customers and build loyalty. It's vital for businesses in the digital era to have a 360-degree view of customers," said Talend's senior director of data governance products Jean-Michel Franco.
"Businesses must ensure that data is consolidated and stored in a transparent and shareable way.
"What's more, GDPR's one-month time limit should be viewed as an absolute deadline rather than a target."
IT Pro asked the Information Commissioner's Office (ICO) for its view on the findings, and the recourse available when SARs are not fulfilled by organisations in time, but the ICO has yet to respond.
10/09/2018: Shareholder sues own company over preparation claims
A US-based firm, its CEO and CFO are being sued for damages by a shareholder over claims they issued misleading statements about the company's GDPR-readiness.
Shareholder Arun Bhattacharya has alleged the information and data measurement firm Nielsen Holdings misled shareholders, and the wider public, about the potential impact of GDPR on revenue streams - as well as its own preparation activities.
As reported by Strategic Legal, the company relies on consumer data provided by third party data aggregators such as Facebook to generate consumer metrics for its clients according to a Complaint filed in New York.
Filing the suit, Bhattacharya accused the company of playing down the impact of GDPR on revenue, and issuing false statements about how the new data protection legislation would affect the business.
Between February and July, the Complaint says, Nielsen "repeatedly assured investors that its measurement and analytics services provided to customers were continuously viable and strong", and that large data sets provided by partners like Facebook would not be limited.
But on 26 July the company published financial results for the second quarter of 2018, showing it had missed revenue targets, and publicly-stated that GDPR had in fact had a much bigger impact on business performance than initially presumed.
The class action lawsuit, filed on behalf of everybody who purchased a share in the company between 8 February and 25 July, alleges a breach of the 1934 Securities Exchange Act - with Bhattacharya accusing the company of lying to shareholders.
Despite being devised by the European Union, companies in the US must still adhere to the new data protection laws, which came into force on 25 May, if they process data involving citizens of European Union or associated countries.
This has actually led many American-based companies, including the LA Times, from implementing filters that prohibit online access to European users.
"Any company outside of the EU that was in any doubt about whether GDPR applied to them should be taking heed and acknowledging that if you process or store EU citizen data, GDPR is a business risk that needs to be managed," said RSA Security's Field CTO EMEA Rashmi Knowles.
"As such, it's a final warning to all organisations that securing personal data is no longer just the responsibility of the IT team, but a board level issue that impacts every aspect of a company from profitability to shareholder confidence."
05/09/2018: 'Human error' to blame for most data incidents
Data security incidents reported to the Information Commissioner's Office (ICO) have risen by 75% in the last two years, according to new analysis, with the vast majority pinned on 'human error'.
While 2,214 incidents reported last year could be attributed to incompetence or error, only 292 were seen as being related with malicious activity, a Freedom of Information (FOI) request submitted by Kroll, a corporate investigations and consultancy firm, revealed.
Among the most common incidents were 447 instances of confidential data being emailed to the incorrect recipient, 438 instances of loss or theft of paperwork, and 164 instances of data left in an insecure location.
With GDPR now requiring organisations of all sizes to report all potential data breaches to the ICO within 72 hours, the number of recorded incidents is only set to rise in the coming months and years.
"Reporting data breaches wasn't mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK," said managing director and EMEA leader for Kroll's cyber risk practice Andrew Beckett to CBR Online.
"The recent rise in the number of reports is probably due to organisations' gearing up for the GDPR as much as an increase in incidents.Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach."
Kroll's analysis echoes similar findings by law firm EMW, whose FOI request revealed the number of complaints filed to the UK data watchdog had doubled since GDPR came into force on 25 May.
According to EMW the number of complaints between 25 May and 3 July climbed from 2,417 in 2017 to 6.281 this year as organisations succumbed to mandatory reporting for data incidents.
28/08/2018: Data complaints to ICO double after GDPR
GDPR is having an impact: the number of complaints filed to the UK's data protection watchdog has doubled since the General Data Protection Regulation came into force at the end of May.
That's according to figures obtained via a freedom of information act request filed by law firm EMW, which reveal the number of complaints to the Information Commissioner's Office (ICO) between 25 May and 3 July this year climbed to 6,281 versus just 2,417 during the same period last year.
The law firm pinned the increase on individuals having more awareness of their data rights, as well as companies being forced to report their own data breaches.
"A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed," EMW principal James Geary said in a statement. Fines have increased from a maximum 500,000 doled out to Facebook earlier this year to 20 million or 4% of global turnover.
"We have seen that many businesses are currently struggling to manage the burden created by the GDPR, whether or not that relates to the implementation of the GDPR or reportable data security breach incidents," Geary added.
The data watchdog is one such organisation feeling the heat from GDPR, though it told the Financial Times it's ready for the increased work and already hiring staff to meet the increased demand, with EMW's data request revealing the watchdog's staff would increase from 530 full-time employees to 720.
22/08/2018: Many organisations would fail GDPR audit
It's been months since the GDPR's 25 May deadline and yet nearly a third of organisations are still unprepared for the EU's data regulations.
This is according to a survey compiled by Imperva, the cybersecurity authority, that suggests many of these organisations are still unsure they comply with the General Data Protection Regulation (GDPR).
The survey was conducted at the Infosecurity Europe 2018 trade show, the largest security focused conference in Europe, and is based on responses from 185 attendees that included IT professionals, managers and executives. The results of which revealed that 28% of organisations do not feel completely compliant with the EU's data regulations.
"The deadline has now come and gone, yet the study shows that many organisations aren't sure they have achieved GDPR compliance," said Terry Ray, CTO of Imperva.
"Any company that put GDPR off until the last minute now realises compliance cannot be achieved overnight. It does not surprise me that many organisations feel unsure about the idea of a GDPR audit. The truth is many would fail."
This lack of confidence with GDPR compliance was highlighted in the survey with less than one-fifth of respondents said they were not confident of passing their first GDPR audit and less than half said they were.
Assessing personal data rights the survey also asked if the respondents knew where all users personal data resided on their respective systems, worryingly, while only a third said they knew the location, more than half said they would need an extra three months to get their data storage in order.
There was more confidence when dealing with individual data requests, with 90% claiming they could easily respond to anyone wanting to obtain personal information held by the organisation. In fact, 57% said that their organisation had already received such a request.
21/08/2018: Huge spike in patient safety incidents pinned on mandatory reporting
The National Pharmacy Association (NPA) has pinpointed GDPR as one of the main factors behind the substantial rise in the number of patient safety incidents reported in the second quarter of 2018.
The number of incidents reported increased by 64% in April to June, against the first three months of 2018, according to the NPA's latest Medication Safety Officer (MSO) quarterly report, while the submission of reports in June doubled.
The report attributing this spike to mandatory reporting of certain incidents and breaches as stipulated by the new data protection laws, which came into effect on 25 May.
"It is important to reiterate that pharmacy teams are required to have robust procedures in place for investigating and reporting data breaches," said the NPA's director of pharmacy Leyla Hannbeck.
"Under GDPR, some data breaches require pharmacy contractors to notify the Information Commissioner's Office (ICO).
"I also recommend every pharmacy maintains a log of all data breaches, including when the data breach occurred and action taken, as required under GDPR."
Hannbeck said medication dispensing errors, which involved a breach of patient confidentiality, comprised eight percent of all incidents reported to the NPA.
Common errors included giving medication to the wrong patient due to a similar sounding name, bagging up medication and attaching a repeat prescription slip in another patient's bag, delivering medication to the incorrect recipient, and printing incorrect address labels.
More generally, the most common incidents identified between April and June were drugs labelled with an incorrect, or unclear, required dosage, as well as patients being given the wrong drug or medication.
The majority of incidents led to no harm being caused to the patient, 57%, while 29% of incidents resulted in near misses. The remainder caused either low to patients (10%) or moderate harm (four percent).
06/08/2018: Facebook data debacle pushes Brits to use GDPR
British consumers are a fan of GDPR, especially after revelations surrounding political data firm Cambridge Analytica's use of Facebook user data.
That's according to research on the General Data Protection Regulation from SAS, which shows that people are "activating" their personal data rights faster than expected.
Here's what that means: last year, SAS surveyed Brits asking what they thought about GDPR, and when they exercise privacy protections such as the right to access data held about them, as well as query and erase it. In 2017, 42% said they expected to make use of such rights within a year, but the latest SAS survey shows that 31% already have two months on from the formal arrival of GDPR. Plus, we're on track to hit 55% within the first year.
What's sparked the change? SAS suggested it could be down to recent data scandals, notably the debacle surrounding Facebook and Cambridge Analytica. The survey found that 88% of those asked were aware of the major scandal, and of those who knew about the incident, 72% said they'd changed data permissions with companies they use, or will share less data in the future. A third say they have removed their data from social media or retailers that misuse it for marketing, or plan to do so in the future.
"Businesses that fail to respect their customers or their data risk losing both, sacrificing their competitive advantage and hurting the bottom line," said David Smith, Head of GDPR technology at SAS UK and Ireland. "Transparent data management and analytics are crucial, not only to achieve compliance but to provide personalised customer experiences that make consumers more willing to share their data."
Half of those surveyed said they would "activate their data rights" after one privacy mistake from a company, though that's not necessarily shown in reality there's not exactly very many high-profile companies knocked out of business through data misuse, Cambridge Analytica aside.
31/07/2018: ICO reveals fivefold rise in self-reported data breaches post-GDPR
The number of self-reported data breaches have soared since GDPR came into force in May, according to the Information Commissioner's Office (ICO).
The first full month of GDPR enforcement, June 2018, saw 1,792 instances of self-reported breaches - approximately five times more than the 367 that occured in April 2018, the UK data protection watchdog has revealed.
Under GDPR, data controllers must report any breaches of personal data at their organisation to the ICO within 72 hours of being made aware of the breach.
The ICO's head of personal data breach reporting team, Laura Middleton, revealed that figures for April were consistent with those for the previous month, 398, while self-reported breaches doubled in May, with 657 reports received.
She attributed the increase between April and May to a few days of GDPR enforcement, and the fact organisations had been preparing their internal self-reporting mechanisms for the 25 May deadline for GDPR compliance. She said many were self-reporting early based on breaches under the previous Data Protection Act 1998.
"We expected to receive a significant increase in the number of breaches compared to before 25 May," Middleton said, identifying health, education, general business, solicitors and local government as the main sectors that had suffered data leaks.
She continued to outline a few tips for data controllers whose organisations may have suffered a breach, including that it's better to report over the phone line introduced last November, and that the ICO does not differentiate between 'formal' and 'informal' reports.
"As I hope we have emphasised today, not every personal data breach needs to be reported," she continued. "So controllers should assess the likelihood and severity of risk to individuals before making that decision to report.
"You can call us for advice, but we're not going to make that decision for you to report."
Elsewhere during the webinar, Middleton revealed that every case the ICO receives is ideally looked at either on the same day, or shortly afterwards, before adding "we are looking to act on very serious data breaches reported as soon as possible".
17/07/2018: Just 20% of UK companies are now compliant with GDPR
Only 21% of UK organisations consider themselves to be GDPR-ready, despite the data protection law having come into force on 25 May.
Meanwhile, EU-based organisations, excluding the UK, are twice as likely to consider themselves compliant than US firms are, at 27% versus 12%, according to new research.
Another 27% haven't actually reached the implementation phase of their compliance strategy, according to security firm TrustArc's survey of 600 IT and legal professionals with a role in data protection policy in the UK, US and EU, conducted in the middle of June and published this week.
Moreover, while the majority of UK organisations expect to be fully compliant by the end of 2018, 25% anticipate not being compliant until 2019 or beyond.
"While the amount of effort was immense for the deadline of 25 May, there is substantive work yet to complete to achieve initial compliance as well as monitor and maintain compliance on a repeatable and efficient ongoing basis," said TrustArc's CEO, Chris Babel.
The lack of preparedness across the UK, EU and US should be of concern given the new set of data protection laws carry with them a maximum fine of up to 20 million, or 4% of global annual turnover, whichever is higher, for breaches.
But fines haven't played as prominent a role as the press coverage has warranted, according to the researchers, with only 38% of UK organisations saying financial penalties comprised one of the key motivators for investing in compliance.
Rather, the biggest motivators included meeting customer expectations, true for 58% of UK companies, while supporting company values, 47%, and meeting partner or third-party expectations, 41%, comprised the other main drivers.
More than two-thirds of companies have spent above $100,000 to date on compliance, and 67% expect to continue spending this amount through to the end of the year, investing in internal and external personnel, training, consulting, legal advice, technology and new tools.
Most respondents saw the new data protection laws as having a positive impact on business, compared to 15% claiming GDPR will affect them negatively.
Medium-sized companies were most likely to see GDPR as a benefit, with 71% receiving the data protection laws positively, while the same was only true for little over half of large businesses, 51%.
"There is a lot work yet to be done in order for all companies to achieve full GDPR compliance, as well as for them to monitor, maintain and demonstrate ongoing compliance in a repeatable and efficient manner," Babel added.
"The good news is that companies realise that the effort and expense will have a positive effect on their businesses and is well worth the investment."
05/07/2018: AI searches for GDPR compliance in tech firms T&C's
Tech firms do not "fully comply" with GDPR according to researchers who are training artificial intelligence to sift through the T&C's of 14 biggest technology companies.
A team from the European Institute in Florence analysed the privacy policies of 14 popular online companies, including Facebook, Google and Amazon, taking the requirement's of the GDPR as a basis.
The project is supported by the BEUC, a pan-European consumer group, is called "Claudette Meets GDPR". It suggested that the privacy policies of the 14 firms analysed did not fully meet the requirements of the GDPR.
In total, all the policies analysed amounted to 3,659 sentences and 401 of those sentences were marked as containing unclear language. A further 1,240 contained clauses the researchers deemed "potentially problematic" or clauses that were providing "insufficient" information.
"A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law. This is very concerning. It is key that enforcement authorities take a close look at this," said Monique Goyens, BEUC's director general.
"This innovative research demonstrates that just as Artificial Intelligence and automated decision-making will be the future for companies from all kinds of sectors, AI can also be used to keep companies in check and ensure people's rights are respected."
The use of AI as an asset for consumer groups to monitor the market and ensure infringements do not go unnoticed could potentially be an ironic twist in the continuing debate about the tech industry's use of data, where technology is turned around as a tool used to govern its itself.
"We expect companies to respect consumers' privacy and the new data protection rights. In the future, Artificial Intelligence will help identify infringements quickly and on a massive scale, making it easier to start legal actions as a result." Goyens added.
The way in which big tech firms have set out T&C's has come under heavy scrutiny since the GDPR came into force. Recently, a Norwegian Consumer Council accused Microsoft, Google and Facebook of deliberately pushing users away from selecting privacy-centric options within their services.
26/06/2018: Gov launches review of exemptions to data handling fees
The UK government has said it will review the provisions that exempt some businesses and organisations from paying fees to handle user data, in an ongoing effort to ensure data protection enforcement is adequately funded.
Every business and sole trader that handles personal user data is legally required to pay a fee to the Information Commissioner's Office (ICO), the UK's data protection watchdog, used to fund day to day work and legal action against malpractice.
Under the Data Protection Act 1998, organisations were required to register with the ICO and pay a two-tier annual fee of either 35 or 500, based on turnover and size.
Following a change to the fee structure with the introduction of the General Data Protection Regulations (GDPR) in May, businesses now adhere to a three-tier system of payments of either 40, 60 or 2,900 depending on the size and turnover of the company.
Most businesses now pay either 40, if they're a micro business of fewer than 10 employees or have a turnover less than 632,000, or 60 if they're a small business of fewer than 250 employees or have less than 36 million.
Currently, only public authorities are exempt from paying fees, although charities and small occupational pension schemes are only required to pay the tier 1 fee (40), regardless of their size or turnover.
While the review will seek feedback on these exemptions, attention is largely being focused on more detailed exemptions, specifically those for people or organisations that process personal data for only 'core business purposes'.
These include staff administration such as payroll, advertising and public relations related to a business' own activities, and processing for the purpose of keeping accounts and records.
The government review is assessing whether these exemptions are still appropriate given the fee change, which it says could lead to either new exemptions being created, or current rules being restricted.
"Given that most of the exemptions date back many years, and to a time when digital processing of personal data was not undertaken on anything near the scale it is today, the Government considers that there is merit in reviewing the exemptions to ensure that they are still appropriate to the current time, and fit for the digital age," the consultation explains.
"We have invited respondents to detail any other data controllers or processing that they consider appropriate for an exemption."
Another exemption under review is the processing of personal data for the purposes of maintaining a public register, which is based on the 1984 Data Protection Act. Initially intended to cover those responsible for m
The exemption from processing personal data for the purposes of maintaining a public register is also under review, as it was first introduced under the 1984 Data Protection Act.The government has suggested that elected officials, which it says act like data controllers when conducting casework for constituents, should be exempt from paying annual fees as their work is regarded as a public function.
Public feedback is being welcomed until the 1 August 2018, which can be submitted through an online form available here.
01/06/2018: European Data Protection Board backs ban on 'cookie walls'
'Cookie walls' should be banned under new ePrivacy rules as they are not compatible with GDPR, according to the European Data Protection Board (EDPB).
In a statement on the anticipated revision to the EU's ePrivacy Directive, the EDPB, the official body tasked with overseeing the consistent application of the new data protection laws, called for a strengthening in how user consent is obtained and bolstering privacy in electronic communications.
Cookie walls, which are deployed by websites on the condition users consent to storing cookies on their device, was referenced directly alongside tracking technologies in general, as the EDPB said GDPR's requirement for organisations to obtain "a freely-given consent" should "prevent service providers from including cookie walls for their users".
"In order for consent to be freely given as required by the GDPR," the statement continued, "access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited."
The text for the new ePrivacy Regulation is yet to be finalised by the EU parliament despite being first proposed by the European Commission in early 2017. These are tailored specifically to cover electronic communications, where GDPR covers personal data, but delays in its drafting mean the exact form it will take has yet to be established.
Drafted in a bid to replace the existing Cookie Law, these new regulations will bring service providers within the scope of the EU's ePrivacy rules for the first time. A submission from the UK data regulator the Information Commissioner's Office (ICO) to the EU's consultation on the Regulation said the revision should "achieve a proportionate balance" between privacy rights and "legitimate interests of information society services".
The EDPB, set up on 25 May to coincide with GDPR coming into force, is an EU body tasked with applying and regulating the new set of data protection laws consistently across member states; comprising the head of each nation's regulator, among others.
The UK, however, was recently informed by the EU's chief negotiator in Brexit talks, Michel Barnier, that it will be relegated to "third country" status, and that the ICO will no longer have a decision-making seat on the body.
30/05/2018: GDPR risks helping hackers hide from police says Whois
The EU has gifted cyber criminals with data protection, according to the owners of Whois, a service used by the police to check the legitimacy of websites.
Whois is owned by Icann, which is a nonprofit organisation for internet namespaces, and its lawyers Brian E. Finch and Steven P. Farmer wrote a letter to the Wall Street Journal entitled '"The EU's gift to Cybercriminals" in which the pair claim hackers will be harder to catch under the new legislation.
"Police will be deprived of quick access to vital data that severely hinders efforts to identify and stop illicit activity. The EU regulatory box will make it harder than ever to catch hackers," they wrote.
Whois has been forced to remove most of the information on its sites, such as the display names, email addresses and phone numbers of some websites, to comply with GDPR legislation.
Icann had asked for a delay to comply with GDPR, but the request was turned down.
Speaking to the BBC, Mr Farmer said that the lack of guidance given by the EU could potentially make companies extremely cautious about the regulation, because "the consequences of getting it wrong are so serious", and that companies are being "extremely conservative in interpreting the law".
"It's regrettable we didn't have guidance on the key principles," he said.
Whois is not just used by law enforcement but is also a popular service for cybersecurity companies.
Nik Whitfield, who is the chief executive of cyber-security company Panaseer, said he had used Whois to help companies spot dodgy emails.
"The service is valuable for protection as it helps provide context around whether an external website is legitimate or potentially unsafe," he told the BBC.
29/05/2018: GPs 'lack awareness' of GDPR despite NHS drive to share patient data
GPs' awareness of the General Data Protection Regulation (GDPR), which came into force last Friday, is low despite an NHS drive to use patients' personal data to improve healthcare.
New findings show that awareness of the new rules governing data protection, which can see organisations fined up to 4% of their global annual turnover or 20 million for infringements, is low among doctors serving as the first port of call for many patients.
Nearly one in six GPs and one in 10 GP principals had never heard of the term, while a quarter of GPs had heard of it, "but not much more than that", while a further 14% had only heard of GDPR in the media.
The new findings, based on a survey of 1,018 GPs across England by healthcare research firm medeConnect, come as NHS England has launched a six-week drive across commercial radio, national, and web advertising, to raise public awareness of data-sharing in light of GDPR, as well as promote its national opt-out tool launched last week.
The new tool, which is expected to be enforced by all healthcare providers by 2020, will allow patients across England to opt out of sharing their confidential patient information with NHS organisations for research and planning purposes.
As part of the 'Your Data Matters' campaign, run by the NHS and Information Commissioner's Office (ICO) - the health service will initially focus on GDPR before promoting its opt-out tool from early June. The opt-out tool was based on recommendations by the National Data Guardian Dame Fiona Caldicott in a review published in 2016.
"Sharing information between health and care professionals can be lifesaving by quickly providing staff with the details they need, from patient histories to previous test results and care plans," said Dr Simon Eccles, the NHS's chief clinical information officer (CCIO).
"This campaign will highlight to the public how the health and care system uses their data, safely and securely, to improve the care they receive, plan services and research new treatments and to tell the public 'their data matters to the NHS'."
Dame Caldicott, meanwhile, said: "I welcome the progress we are seeing to help people understand how health and care data may be used and what choices they have. These are important steps to build the vital foundation of public trust for the use of such data, which holds benefits for all of us - from researchers making breakthroughs in life-saving treatments, to better planning of services, to regulators seeing things going wrong promptly."
But medeConnect's findings raise concerns as to how aware practitioners are themselves about the tougher regulations they must now adhere to. Due to the structure of the NHS, most GPs - approximately 75% - are considered self-employed independent contractors, with each practice acting as an independent business.
The survey found that fewer than half of GPs had discussed GDPR within their practices or primary care organisation, with the same being true for 62% of GP principals. Of the GPs who had discussed it, 65% said the practice manager would be responsible for GDPR compliance, while 28% said the burden would fall on either themselves or another GP working in the practice.
The main implications of GDPR, according to 26% of GPs, would be more work or bureaucracy, followed by 17% citing an extra financial burden or loss of earnings, while only 1% believed GDPR would be a positive development.
GPs were targeted as part of a wider awareness campaign by the Department for Digital, Culture, Media and Sport (DCMS), supported by the Department for Health (DfH) and the ICO. This included a toolkit that was shared with a number of organisations, including the Royal College for General Practitioners (RCGP), according to NHS Digital.
A greater onus is being placed on awareness among the public, as well as within the health service, in light of an array of digital tools the NHS is building as it increasingly embraces technology. For instance, NHS Digital last month presented plans to roll out a digital citizen ID for patients across the UK - with 'video selfies' touted as a potential verification tool.
Meanwhile, prime minister Theresa May has pledged to fund more use of AI in public healthcare, drawing on the NHS's huge volume of data to better predict cancer and plan treatment for patients. However, such endeavours rely on GDPR-compliant data-sharing, as well as protecting that data against hackers or misuse. All 200 NHS trusts failed cyber security standards earlier this year, and the government hopes to mitigate cyber security issues with a mass upgrade to Windows 10 in the next two years.
NHS England, DCMS, DfH, the ICO and RCGP were approached for comment.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now