One of the interesting things I’ve noticed with EU GDPR lately is a change in mood music around the regulation. It’s not quite like switching from heavy metal to easy listening, but the tone has very obviously shifted from the burden of compliance to how the process could make organisations leaner and better off.
There’s little doubt in my mind that some unscrupulous opportunists in the security sector quickly jumped on GDPR as a chance to dust off the old ‘fear, uncertainty and doubt’ songbook and remix a couple of the greatest hits.
No-one is suggesting that the road to compliance will be easy like Sunday morning, but there’s no need to run to the hills or to think complying with GDPR will be a highway to hell. There’s a growing sense that the process of becoming compliant is a fantastic opportunity for any organisation to take a long, detailed look at how it processes personal data, where it does so, and – even at a more philosophical level – to consider why it gathers and stores that information.
When GDPR was unveiled last year, the heavy fines made for easy headline fodder and naturally drew the biggest attention. Who wouldn’t want to avoid getting caught in the net of expensive regulation?
However, from a close reading of the text, it seems to me that if an organisation can demonstrably show that it had appropriate measures in place for protecting data prior to an audit, a breach or an incident taking place, they may be insulated from the worst financial penalties anyway.
The systems, controls, and processes for monitoring data assets should align with generally accepted security standards and frameworks like ISO/IEC 27001/27002, NIST Cybersecurity Framework or CIS Critical Controls. Independently of GDPR, the process of getting certified is an excellent regime for getting any organisation’s critical controls into shape.
What’s more, the audit process of discovering what records an organisation holds, and the nature of that data, is a very worthwhile exercise. Duplicate databases are a fact of life in most organisations, so this is a great chance to rationalise systems and eliminate any unnecessary spending on data stores that are no longer needed.
The optimist in me thinks that any organisation coming out the far side of their GDPR compliance process will be in a much better place.
That’s why it’s discouraging to see a sizeable number of UK businesses think Brexit will give them a free pass to avoid compliance efforts. A survey by Crown Records Management found that almost one in four UK businesses have stopped all preparations for it, and 44% believe the regulation won’t apply to them.
That attitude ignores the red herring of the letters ‘EU’ in front of GDPR. In fact, this regulation applies to all companies anywhere; if an organisation stores or processes information relating to EU citizens, then it is bound by GDPR, even if it’s headquartered in post-Brexit Britain.
As I write this, the widespread WannaCry ransomware attacks have thrown a very harsh spotlight on many organisations’ IT infrastructures and their continued reliance on old systems. By contrast, we know GDPR is coming and that gives us the chance to prepare for it. Working in security and data protection rarely affords us such a valuable opportunity. Let’s take it.
Brian Honan is a keynote speaker at Infosecurity 2017
EU GDPR Special Focus – Extended Session
Wednesday 7th June – 14:10 – 15:30