zlacker

[return to "GDPR: Don't Panic"]
1. mrleit+s2[view] [source] 2018-05-18 08:30:24
>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
◧◩
2. thomas+tK[view] [source] 2018-05-18 15:44:39
>>mrleit+s2
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".

◧◩◪
3. guitar+JN[view] [source] 2018-05-18 16:09:55
>>thomas+tK
So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?

Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.

Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.

◧◩◪◨
4. swat53+ZC2[view] [source] 2018-05-19 20:27:34
>>guitar+JN
It is one of the most basics tenets of any legislative system that penal provisions be as precise as possible so as to avoid any abuse from the legislator or the executive body tasked with enforcing said statute.

If the legislation is principle based or overly broad so as to cater to the notion that it will be enforced in an ethical and moral manner the purpose shall be defeated.

As such, there shall be no manner in which the individuals who are regulated will have any sense of how to comply with the legislation and ultimately this undermines the rule of law as well as the respect of the public for such legislation.

Such legislation that sets out fines and penalties, especially the absolutely ridiculously high penalties provided for by GDPR, must be as precise as possible so as to ensure the public knows exactly what is prohibited and what is not. This is notwithstanding the fact that this marvelous bit of administrative madness has the ability to bankrupt any organisation up to and including developing countries.

To trust that the executive body will apply regulations in an ethical and fair manner is a rather paradoxical view especially when such regulations also include mechanisms for judicial review and public control. Thus, legislation which claims to be fair and ethical is also, by the same token, providing measures in case the system is abused, which is again rather paradoxical.

These are not apples and oranges, this is a massive administrative monster that container penal sanctions and as such must be rule based based on basic legal principles that apply in pretty much every jurisdiction, European or otherwise.

[go to top]