zlacker

[return to "GDPR: Don't Panic"]
1. mrleit+s2[view] [source] 2018-05-18 08:30:24
>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
◧◩
2. thomas+tK[view] [source] 2018-05-18 15:44:39
>>mrleit+s2
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".

◧◩◪
3. guitar+JN[view] [source] 2018-05-18 16:09:55
>>thomas+tK
So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?

Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.

Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.

◧◩◪◨
4. thomas+bR[view] [source] 2018-05-18 16:34:53
>>guitar+JN
> NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures"

Yes, so a law or rule or EO says "you must be compliant with this framework" - the GDPR just left off the part where they have controls/a framework.

It's not rigid box ticking, a control defines what you need to do. How you do that is up to you and should be updated often as things evolve. For example, in the GDPR I would say you must catalog data collected and perform a personal data assessment with justification for whether "piece of data" is personal data or not. I can comply with that, I have lots of supporting documentation that an IP address does not personally identify a person.

Then if a regulator releases a clarification that an IP address is personal data or the consensus of the security community changes or whatever happens, I just update my security plan and make sure the IP address is handled the same as all of the other personal data in our systems and I was never out of compliance.

It basically works the same in practice, you must make a good faith effort to comply -- but proving you made a good faith effort and documenting what you did and why is also part of the compliance framework. The GDPR doesn't have that, you're at the whims of the EU because there is nothing except internet opinions on how to comply.

[go to top]