GDPR confusion: it's about direction of travel not hard deadlines
The 'how to' element is missing from GDPR and this is the cause of much of the angst
Yesterday, on the very eve of GDPR, the ICO's website went down. This was presumably due to the weight of traffic of panicked businesses and individuals fearful of large fines that might coming their way. It was no surprise therefore that among the challenges identified by IT leaders around the subject, simply "understanding everything that needs to be done" was the top issue identified.
Certainly Robert Bond (p ictured centre left), partner and notary public at law firm Bristows LLP, was not at all surprised.
"GDPR is not particularly prescriptive about what compliance actually means," he told the panellists on today's Computing web seminar: GDPR is here, but are you ready? However, there are some key concepts to take on board he said.
"One key word is transparency and another is accountability. You need to prove you're accountability to the regulator and the data subject."
So it's all about being able to demonstrate that plans are in place to report data breaches should they happen, and ensuring you can locate and delete people's data if that's what they desire, wherever it might reside within the supply chain. In this there are certainly some key issues to address.
"You need to address privacy by design, your third party vendors' processes and sub-processes and you need to be controlling data protection and data destruction," Bond said.
However much of the rest is procedural.
"But then there are all the other policies that you need to put in place like how do you manage a subject access request? How do you manage requests for erasure? How do you manage data portability? How do you deal with employees' rights? How do you deal with users' devices, with CCTV and drones? And how do you manage paper?"
It's the lack of a 'how to' element in GDPR that's the cause of a lot of the confusion, he said.
James Walker, UKI enterprise security consultant at Trend Micro, painted a similar picture but from an IT security perspective. People are not sure what to do, but really it's nothing most aren't already doing. It's knowing where to start and exactly what's required.
"It's a risk analysis approach, so it's working out where does the biggest risk reside? Then it's applying the right technologies to it," he said.
"There's nothing particularly new to this is just a matter of making sure that protections are applied effectively."
However, he suggested, GDPR is an opportunity for IT. One thing that definitely has changed is the profile of IT security.
"IT staff we work with have always wanted to have better security but they haven't been able to. But suddenly because of the large fines the board are very concerned about their jobs and about the business and they're open to having those business case discussions about investments, so IT staff are now able to do the job always wanted to do. That's been a real eye-opener," he said.
As to what to focus on, Walker suggested to start by working out who has access to personal data and why and then evaluating the risks. Many companies will not need to purchase any new specialised solutions.
"Having encryption in place, having DLP in place and having visibility into the network is very important. Get those basics in place and you can build on them."
However, Walker did suggest that automating subject access requests will be a necessity for most firms if they are not to be overloaded with work.
A video of this web seminar will be available to view shortly.