zlacker

[return to "GDPR: Don't Panic"]
1. mrleit+s2[view] [source] 2018-05-18 08:30:24
>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.
◧◩
2. thomas+tK[view] [source] 2018-05-18 15:44:39
>>mrleit+s2
It's not that it's annoying, it's that I literally cannot answer "are we GDPR compliant?". If you search for GDPR IP address, you get a ton of different opinions. Do I need to sanitize logs? How does that fit in with the requirements for security compliance we are also subject to?

At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".

And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".

◧◩◪
3. guitar+JN[view] [source] 2018-05-18 16:09:55
>>thomas+tK
So everything should be written out explicitly, because you'd rather complete a checkbox-ticking exercise rather than thinking about it and do the correct, ethical thing in good faith?

Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.

Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.

◧◩◪◨
4. spelun+uO[view] [source] 2018-05-18 16:15:58
>>guitar+JN
If I'm going to be fined or penalized for not being compliant then yes, explicit would be nice. Checkboxes sound great.
◧◩◪◨⬒
5. guitar+RD2[view] [source] 2018-05-19 20:47:12
>>spelun+uO
Fair enough. As an implementer at a company, I can understand that sentiment. But the GDPR isn't for companies, it's for users.

Laws and regulations tend to stick around for longer than expected, and they're static. Technology and "cyber criminals" are dynamic. For better or worse, the GDPR acknowledges this. I think that's a testament to the Article 29 Working Party, in a world where most politicians are clueless about technology.

◧◩◪◨⬒⬓
6. Kalium+ra3[view] [source] 2018-05-20 07:27:43
>>guitar+RD2
> Fair enough. As an implementer at a company, I can understand that sentiment. But the GDPR isn't for companies, it's for users.

You're absolutely right! GDPR is wonderful for users as a ringing and clear statement of human rights.

Unfortunately, it also needs to be for companies because it affects companies just as much as users. I would go so far as to say GDPR rests almost entirely on companies to turn this stirring declaration of human rights into rights said humans can actually make use of. In this regard, it's a collection of opportunities for improvement of awe-inspiring proportions.

You're right. Technologies and threat landscapes change. Regulation needs to acknowledge this or be worse than useless. Yet, perhaps there are ways to deal with this that don't rest largely on handwaving away critical questions of what compliance actually might look like with weasel-words like "reasonable".

Does that seem possible?

[go to top]