Next May the GDPR comes into force. No wait, that sounds wrong. Surely it’s the GDPR regulations. But if I call it that, I’ll get hate-mail from the people who complain when I write about PIN numbers. So we’ll stick with the GDPR for now.
The entire security industry seems to have been shaken up by the impending GDPR. C-level people are frantically trying to work out the implications and obligations for their companies. Half of LinkedIn’s membership are promoting themselves as GDPR experts when in reality, hardly anyone understands it. Recruitment companies are posting adverts seeking candidates with 5 years’ GDPR experience, because the clients asked for it in the job description and no one dared tell them that no one has it.
Gaining an unbiased understanding of GDPR without spending thousands on lawyers and consultants is frustratingly difficult. The definitive document is of course the official regulation as published by the European Parliament. You can download it from the internet for free. But it runs to hundreds of incomprehensible pages. A lawyer acquaintance of mine explained why the document is so awful. It’s designed to be used as the input for systems and people across the EU who have to translate it into meaningful legislation for their own country. Think of it almost as a program script rather than a human-readable document. Those unintelligible phrases may mean nothing to you, but are the bread and butter of civil servants who turn EU rulings into local laws.
There are plenty of better sources of GDPR guidance around. The UK’s own Information Commissioner’s Office (the ICO) has lots of useful stuff on their web site. But even the introduction to their official overview states that “this is a living document and we are working to expand it in key areas”. Translation: we have no idea either but we’re doing our best.
Organisations across the EU and the UK (might as well get used to saying it like that now) are rushing to understand GDPR and to adopt it. Which is a good thing. But one man’s compliance is another’s box-ticking. I’m currently seeing lots of interest from potential customers of my security awareness training who are simply doing it to tick another box on the GDPR compliance checklist. I worry that they won’t take it seriously, and that they’re doing it for the wrong reasons.
Remember the cookie laws? Those EU-wide regulations which said that visitors to websites had to explicitly opt in to receiving cookies on their device? The industry quickly worked out a loophole, which added a pointless question to every website and achieved absolutely no increase in data privacy whatsoever. No one really wanted the rule, and the industry did as little as possible in order to comply with it and then pushed it out of their minds. I sincerely hope that GDPR doesn’t end up the same way. Its intentions are good, but it requires more than grudging compliance and box-ticking if you, and your business, hope to get anything useful from it.