Computing podcast: GDPR is too big for a technical solution

player-id
2KlLo8X3-uSZKziPq

Anish Chauhan of Equilibrium Security Services and Yves Mertens of Cisco agree that the GDPR touches too many areas for one product or process to handle

Not only is there no such thing as a ‘silver bullet' for the GDPR, but there is no such thing as a GDPR-compliant product. That was the conclusion of Anish Chauhan (director at Equilibrium Security Services) and Yves Mertens (director of cyber security for EMEA at Cisco), in a recent Computing podcast.

Computing research has revealed that only 28 per cent of UK organisations feel confident that they will be compliant with the new regulation by May, and a worrying 42 per cent said they have only started to prepare. 13 per cent are still waiting to see what their peers are going to do, and six per cent say that GDPR is "not on their radar at all."

With figures like these, and fines threatening to reach four per cent of global turnover, it should be no surprise that many companies are searching for a technological solution to the issue.

Unfortunately it's not that easy, and an off-the-shelf solution just doesn't exist. "Any organisation that tries to tout a ‘GDPR-compliant' product is completely leading you down the garden path," said Chauhan.

"Social media is awash with organisations that claim to have a product that will give them the proverbial tick in the box for GDPR, but in essence that product does not exist."

The scope of the GDPR is a major problem, ensuring that even if a technological answer were possible, a single one could not cover all the bases.

"There's no one product that can really make an organisation compliant," Chauhan continued. "It touches people, it touches process, it touches technical, and if you think about it like that it's almost one of the most wide-ranging regulations [that exists], so how can there possibly be a product that makes an organisation compliant?"

Mertens concurred, adding, "[The] GDPR requires you to put the policies, the processes and technology to stay in compliance, and also to coach people...to respect GDPR compliance. There is no product that is able to accomplish all of that at the same time…

"It's much bigger than just saying a product is GDPR compliant."

The other end of the scale is a human process: simply teaching people what they can and cannot do under the new regulation. Chauhan thought that anything limited to this would "fall way short of the mark," though.

"[GDPR] touches so many different aspects of an organisation: legal, marketing, HR, technical. There's not one process that you can tell all of these organisations to read and follow and just tick a box to say they've read and understood it, and therefore the organisation is making individuals responsible for their compliance with GDPR - that's certainly not going to be the case."

To hear Chauhan and Mertens' other conclusions about the GDPR, listen to the podcast now.