The General Data Protection Regulation (GDPR) is upon us and across the globe we’re seeing a flurry of activity. But will any of it make a difference? Will data start being better protected? The EU certainly thinks so, but only time will tell.
As with any regulatory regime, we have the question of compliance versus protection, and whether one delivers the other. Generally this is not the case, as seen by the myriad of PCI certified organisations that suffer data breaches. Being compliant rarely makes you secure.
But if we distance ourselves from what the EU wants and focus on what we want, it’s time for some deep self-reflection and a bucket full of honesty. Is compliance your goal? Is data protection your goal? Is staying under the radar of the authorities and doing nothing your goal? Every business will say they want to comply, protect data and be privacy conscious, but is that really true?
If your business is dependent on mining, sharing and selling data then it’s impossible to be privacy focused. And this is a real problem.
The GDPR demands that privacy be enabled and implemented into systems by default. But the question every designer, architect, marketer or developer is asking is, “how much privacy?” I see this frustration every day as systems are being built, modified and fixed to meet the GDPR requirements. People just don’t have a direction. And this is especially evident with Project Managers trying to assess the scale of the task ahead. Is this a “bare minimum” or a “no expense spared” piece of work? The upshot is that companies deliver inconsistent levels of data protection which rarely align with a business strategy. This never ends well.
So the question I give to every CEO and CISO is, “What is your data protection mission?” Most companies have corporate values, mission statements and philosophies, but few have one focused on data and privacy. Of all the activities you can do to protect data, I would suggest this may be right at the top. Agree on a guiding principle that your organisation will adhere to and maps tightly to the business strategy. It doesn’t actually matter what it is, it just needs to be a strategic direction that will frame all of the work going forward. The giants of the tech world are facing major challenges right now as they reverse direction following their mishandling of data, and there’s no need for that to happen to you.
The Information Security world has the concept of “Cyber Hygiene” and doing the basics to prevent most of the threats. But I find this insufficient, and would rather say, “Do the basics, and do them right, if it makes sense for your business.” But few have thought about what is right for the business or care whether it is being done right. Instead, they pay lip-service to specific threats and simply apply a check-box approach.
Anti-malware is a common place to see this, with the casual answer of, “We’re fine for malware prevention because we have “an” anti-malware product.” No analysis of whether it works very well or whether it has been tested. On paper they’ve met the compliance requirement, so they check that off the list. Again, compliance doesn’t equal protection.
All of this isn’t about not caring, it’s about ignorance. Personally, I can live with a CEO saying that in their company they don’t care about protecting data, and that sales are all that matters. At least they have a guiding principle that creates clarity for everyone to work to. Clearly, being a Data Protection Officer, I would much rather companies decide that protecting data and delivering strong privacy controls is good for business and is morally the right thing to do. But I’m a realist and know that everyone prioritises these things differently.
If you’re up for the challenge then I highly recommend you create your own data protection mission. Decide what all this means to your company and get your whole organisation behind it.