zlacker

[return to "GDPR: Don't Panic"]
1. mrleit+s2[view] [source] 2018-05-18 08:30:24
>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
◧◩
2. thomas+tK[view] [source] 2018-05-18 15:44:39
>>mrleit+s2
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".

◧◩◪
3. guitar+JN[view] [source] 2018-05-18 16:09:55
>>thomas+tK
So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?

Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.

Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.

◧◩◪◨
4. spelun+uO[view] [source] 2018-05-18 16:15:58
>>guitar+JN
If I'm going to be fined or penalized for not being compliant then yes, explicit would be nice. Checkboxes sound great.
◧◩◪◨⬒
5. guitar+RD2[view] [source] 2018-05-19 20:47:12
>>spelun+uO
Fair enough. As an implementer at a company, I can understand that sentiment. But the GDPR isn't for companies, it's for users.

Laws and regulations tend to stick around for longer than expected, and they're static. Technology and "cyber criminals" are dynamic. For better or worse, the GDPR acknowledges this. I think that's a testament to the Article 29 Working Party, in a world where most politicians are clueless about technology.

[go to top]