Unless you are new to my blog posts, you will know that I spend most of my time talking to organizations about security, whether that is data security, cloud security, people security, or application security. If you are new to my blog posts, then welcome. I hope you enjoy them and find them useful and informative.
For the last 12-18 months, a fair amount of my work and many of my conversations have been in relation to GDPR. I personally think that GDPR is a great step forward for privacy and security. It does a good job of ‘encouraging’ organizations to put more thought and control into how they use and protect personal and sensitive data. However, this post isn’t about how great GDPR is.
Watching the security news and market trends in security, I have seen a lot of different marketing messages and approaches from different IT vendors and consulting companies on the best ways to address GDPR.
Unsurprisingly, from the consultants, it’s all about business transformation and process change, whilst the IT vendors pontificate about how much you need their technologies and how their products are the answer to GDPR. In most cases, much of the marketing has been around the, now much quoted fines. Having worked in security for a long time, I have regularly seen security products marketed based on FUD (Fear, Uncertainty, and Doubt), usually generated by alarming statistics. From a fines point of view, you don’t get much more alarmist than
“4% of global annual turnover”
(many quoted stats failing to mention the “up to” in front of that)
This scaremongering annoys me and it’s not just me. In a recent blog post, the UK ICO, Elizabeth Denham clearly has the same frustrations. Don’t get me wrong, the fines are important and are a key factor in how seriously organizations are taking GDPR. However, there are other ramifications of not following the GDPR, which also play key factors for any organizational program to address it.
So, how do I think the industry should be talking to organizations about GDPR? It’s simple, they should be helping them, not scaring them? Here are some observations I have made over the last few months.
Lay out the facts of the regulation, not some biased interpretation that suits your product. If the conversation does include a discussion around fines, then talk about the fact that fines are tiered and that article 83 talks about ‘taking into account technical and organizational measures’ when deciding whether to impose administrative fines. Also, talk about the other punitive measures and potential outcomes of a data breach.
Revolution vs Evolution
How revolutionary really is GDPR? We have had many regulations covering various elements of information security for a long time. You will all have heard of, or be familiar with SOX, DPA, PCI-DSS, HIPAA, FedRAMP etc (I could go on). Many of these regulations cover similar themes such as data encryption, authentication, authorization, patching etc. Therefore, for many organizations, some of the processes and controls necessary for GDPR will already be place. Of course, there are elements of GDPR, which are posing more of a challenge than others, especially around the data privacy elements. These should not be under-estimated.
Don’t Oversell or be oversold to
If your company sells a product or solution that can help an organization address a certain element of GDPR, don’t oversell it as a way of ‘solving GDPR’. As an organization battling with GDPR, be wary of any companies that claim that their solution will ‘make you GDPR compliant’. I have seen software vendors as well as cloud vendors claim this. There is a lot of work to do for GDPR. I don’t see how any vendor can claim to make you GDPR compliant. If, for example, you put your data into a cloud provider, they will be the data processor but the organization will still be the data controller and therefore have their own responsibilities.
As an organization, you should understand where any potential vendor or provider could help, what parts of GDPR it can help with and the limits of that solution.
Identify Quick Wins
GDPR is a business transformation program. It will require business/process/technical changes and those will take time. However, there are things that can be done in parallel. An organization should be looking at quick wins that can help start taking baby steps towards their end goal, rather than waiting until all of the upfront ‘consulting’ work is completed. For example, this could be to start using technology to help find personal and sensitive data within systems, or to start enabling encryption to secure personal data at rest. This gives two benefits. Firstly, when May 2018 arrives, it shows that an organization is making real progress in relation to GDPR. Secondly, we are all seeing the frequency and scale of data breaches in the press. Ignoring GDPR for a moment, just having appropriate controls in place to protect sensitive data (whatever it is), all helps towards mitigating potential exposure.
12 months ago, I would go in, mention GDPR, and get many blank faces. However, today, most organizations I talk to understand what GDPR is and have a program in place. The maturity of that program varies dramatically, but, at least they have taken the first steps, if not, are nicely heading along their journey. Therefore, covering the basics of GDPR at every session isn’t always necessary. I have seen people present an overview of GDPR to the head of an organization’s GDPR program. If you are a vendor or supplier, be aware of your audience’s existing knowledge.
When I talk to organizations about GDPR, I always try to follow my own advice. Whether I am talking about how Oracle can help with technology controls for managing and monitoring user access or data security, or if I am talking about how moving workloads to Oracle Cloud can enhance security, I am always conscious that I follow my own rules, be as honest as possible and don’t oversell, or incorrectly position anything we do. I hope others do too and that organizations recognize when they are being oversold.