By Richard Walters
Watching salespeople on the show floor of this year’s Infosecurity Europe and it’s as if all their Christmases have come at once. The big present is General Data Protection Regulation (GDPR), and they can’t wait to unwrap it for you.
Preparing to abide by the new requirements it imposes has become a top priority amongst both SMEs and large enterprises, but not nearly as much as for many IT security vendors who have suddenly, conveniently, become experts on the subject.
These vendors are all essentially saying the same thing: “failure to prepare is preparing to fail, so start now by buying this product or it’s game over.” Good old-fashioned FUD is creating mass hysteria as revenue-hungry sales reps perpetuate the threat of significant financial repercussions and legal consequences for non-compliance. If only you sign on the dotted line with their solution, you could transform your organization into a GDPR compliant one.
The truth is that it’s just not that simple…
At this moment in time, GDPR is lacking clarity in a number of areas. It is not a destination that organizations can ‘arrive’ at by adopting new products or services. Why? Because no one knows the exact location of the final destination yet. The urgency that inevitably seems to creep into conversations about GDPR is completely unfounded. Admittedly, some aspects of the legislation are black and white - such as the detailed (and expanded) definition of what constitutes personal data – but they’re surrounded by many more that are currently very, very grey. And because you cannot possibly begin to define and act upon these grey areas with 100% certainty, the GDPR picture is largely unactionable and much of the rushed, panicked preparation currently being undertaken by organizations is futile.
Four things I learnt about cybersecurity at InfoSec17
So, what can be done?
The most important action that your organization can take in the lead up to GDPR is to remain calm and shut out the noise. Don’t get sucked in by those vendors who have jumped on the GDPR bandwagon, and don’t rush to spend your budget based on their false promises and exaggerated threats of immediate financial doom should your organization not be 100% compliant before deadline day.
Could you be nailed for GDPR non-compliance on 25th May 2018? History tells us that this will not be the case. Despite the Data Protection Act coming into force in 1998, it was 2010 before the first fines were issued by the Information Commissioner. The likelihood is that GDPR won’t be an overnight change either, mainly because it’s just not realistic. As with every step into the unknown, the legislation will be a learning curve for all involved, and therefore a cross-over period and a bit of leeway for organizations having to adjust their attitudes towards data will naturally be required and probably granted.
9 things you need to know about GDPR legislation
That’s not to say that all anyone can do right now is sit twiddling their thumbs waiting for all aspects of GDPR to become crystal clear. Beginning to think about what personal data (as defined in the new legislation of course) you’re storing, where you’re storing it and for what reasons, will benefit your business in the long run. An internal audit of your systems, mapping out exactly where that data is, won’t make your business ‘GDPR ready’ as such, but it could be your first step on that journey and, let’s face it, it’s good business practice anyway.
Detailed preparation for GDPR when certain aspects of it are still so unclear is pointless, but that doesn’t have to stop you preparing to prepare.
Why IT education in schools is failing the UK
As for vendors, they should stop offering advice on GDPR in the shape of sales pitches. At this point, all that vendors can really do is ensure that a customer is no less compliant after purchasing their services.
Unfortunately, right now there is no vendor, no service and no product that can make an organization 100% GDPR compliant. Achieving that is simply not possible when all aspects of the regulation are not yet fully understood. To get to that place, it’s going to be a long journey, and one that will almost certainly exceed the deadline of May 2018. However, it’s a journey that we all must be part of together.
Richard Walters is Chief Security Strategist at CensorNet
UK industry has a massive cyber skills shortage: and it's their fault