There is a great video overview of what it is GDPR(General Data Protection Regulation): “Preparing for GDPR” by John Elliott, head of payment security, EasyJet
Make no mistake, bureaucrats like to look at each others notes, so if a “new” regulatory method is coming … the US and Asia is watching. In fact the GDPR has some aspects of American breach regulations, which apparently European countries have not had before(notification of breaches).
In my eyes the most interesting aspect of GDPR is that this snapshot of the video shows how it is now focusing on potential data security problems (breach, privacy etc) which will be weighed as to it’s effect on the actual customer data. i.e. besides the breach and obvious effect of a number records stolen to criminal hackers. There is a “respect for private and family life, home and communications”, “Freedom to work and choose an occupation”. These two sentences picked out of the others show that the bureaucrat can make up a lot of rules out of this, and it is not clear what the company has to do to the data for it to be “respect for private and family life”. It may be that the data has to be deleted so that no one sees it after so many days.
The general nature of this new effort by the EU is of course written in this manner because technology is ever changing. Thus it is hard to write regulations with new technologies especially as they are implemented faster than the regulations are written( the last time EU regs were redone was in the 90s).
Another snippet from the video refers to general security note of what he terms it as a “Regulatory Zone of Compliance”:
A graph of how much focus every entity wants to end use on GDPR.
The four choices:
- Money is no object
- Playing safe
- Probably ok
- Hope we are lucky
I think I would change #1 to “100% safe by using all possible effort and resources($$) to ensure this”.
And maybe add to #4 the phrase “we will not be hacked or regulators will not find out if a problem occurs”
But instead why don’t we change this graph to a Focus on Cybersecurity %? Which dovetails closer to my Psychology of Security past blogpost.
What is our Focus on Cybersecurity?
Best to start at bottom.
- Little Focus (25% of what it needs to be) – hope regulatory bodies and hackers avoid us
- Good Focus (50% of the effort) – we make some effort at regulation and defense against hackers
- Better Focus( 75% of effort) – more effort at defense against hackers and compliance
- Best Focus (100% effort) – There is no expense spared and effort performed that we will not make sure that hackers do not affect business, of course compliance is a given.
Is it the Best it can be? 100% effort?
The Psychology of Security if you remember, has to do with most people not focusing on security, since the risk is not obvious and thus we are willing to risk higher and higher levels until it stares us down.
So we need to discuss a way for us to change minds, if you have problems with decisions at the top.
Where we need to be more secure, here is where compliance can help us make the people that run organizations focus more on security and data privacy.
Since Security decisions are dependent on emotions as well as practicality, we can fulfill both by saying we will tackle this new compliance as we do not want to get fined and reduce the FUD (Fear Uncertainty and Doubt) or emotions.
In fulfilling this compliance we are also protecting our client data, although it may seem hard to see. The bureaucratic movement never ends, and even now it is learning from the EU in america, and make no mistake… it will come here soon enough. Better to get ahead of this push.
What I would recommend is to find all of your client data and make sure that you are not selling it or even the look of selling it.
Be careful how you handle the data. Treat it better than your own, treat it as if it is gold (or bitcoin).
Contact me to discuss this in detail.