At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.
Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.
Yes, so a law or rule or EO says "you must be compliant with this framework" - the GDPR just left off the part where they have controls/a framework.
It's not rigid box ticking, a control defines what you need to do. How you do that is up to you and should be updated often as things evolve. For example, in the GDPR I would say you must catalog data collected and perform a personal data assessment with justification for whether "piece of data" is personal data or not. I can comply with that, I have lots of supporting documentation that an IP address does not personally identify a person.
Then if a regulator releases a clarification that an IP address is personal data or the consensus of the security community changes or whatever happens, I just update my security plan and make sure the IP address is handled the same as all of the other personal data in our systems and I was never out of compliance.
It basically works the same in practice, you must make a good faith effort to comply -- but proving you made a good faith effort and documenting what you did and why is also part of the compliance framework. The GDPR doesn't have that, you're at the whims of the EU because there is nothing except internet opinions on how to comply.
When doing the ethical, moral, right, correct thing might still be considered falling short of "reasonable measures" by some bureaucrat? It might be kinda nice to have had more detailed guidance.
Yes, because if I’m supposed to comply with something, I want to know exactly what I’m complying with.
Right now I think I’m already doing everything in good faith, but the enforces of the GDPR may think different.
This is why we have laws- so we can be held accountable exactly.
What if my opinion of what is ethical differs from what regulators decide? Opinions are notoriously inconsistent, subject to bias, and easily used to discriminate.
For example, if you're a CDN business, and naturally need to fight DDOS attacks, then storing exact IP addresses for all requests for a few weeks easily falls under "legitimate interest" (GDPR 6.1.f). On the other hand, if you're a political news site, then storing IP addresses and URL for the purpose of determining political preferences of people without their consent is very clearly illegal, taking into account that IP address can often be static and so identify specific person.
Yes, it means that you have some decisions to do yourself, and the regulator might disagree with your decisions, but that's true about pretty much every new law, no?
If the legislation is principle based or overly broad so as to cater to the notion that it will be enforced in an ethical and moral manner the purpose shall be defeated.
As such, there shall be no manner in which the individuals who are regulated will have any sense of how to comply with the legislation and ultimately this undermines the rule of law as well as the respect of the public for such legislation.
Such legislation that sets out fines and penalties, especially the absolutely ridiculously high penalties provided for by GDPR, must be as precise as possible so as to ensure the public knows exactly what is prohibited and what is not. This is notwithstanding the fact that this marvelous bit of administrative madness has the ability to bankrupt any organisation up to and including developing countries.
To trust that the executive body will apply regulations in an ethical and fair manner is a rather paradoxical view especially when such regulations also include mechanisms for judicial review and public control. Thus, legislation which claims to be fair and ethical is also, by the same token, providing measures in case the system is abused, which is again rather paradoxical.
These are not apples and oranges, this is a massive administrative monster that container penal sanctions and as such must be rule based based on basic legal principles that apply in pretty much every jurisdiction, European or otherwise.
Laws and regulations tend to stick around for longer than expected, and they're static. Technology and "cyber criminals" are dynamic. For better or worse, the GDPR acknowledges this. I think that's a testament to the Article 29 Working Party, in a world where most politicians are clueless about technology.
You're absolutely right! GDPR is wonderful for users as a ringing and clear statement of human rights.
Unfortunately, it also needs to be for companies because it affects companies just as much as users. I would go so far as to say GDPR rests almost entirely on companies to turn this stirring declaration of human rights into rights said humans can actually make use of. In this regard, it's a collection of opportunities for improvement of awe-inspiring proportions.
You're right. Technologies and threat landscapes change. Regulation needs to acknowledge this or be worse than useless. Yet, perhaps there are ways to deal with this that don't rest largely on handwaving away critical questions of what compliance actually might look like with weasel-words like "reasonable".
Does that seem possible?