Ask a lawyer what ‘appropriate’ or ‘reasonable’ means and they’ll come back with something like; “What would be considered fair by a disinterested third party with sufficient knowledge of the facts.”, or “Fair, proper, or moderate under the circumstances.”
Now translate that into what kind of security measures are considered appropriate? How would you justify that what you are doing is reasonable, fair, or proper under the circumstances?
Because that’s what you’ll have to do if things go wrong under GDPR. You’ll have to justify that the measures you took to protect personal data were underpinned by an appropriate program for measuring and treating risk. If your breach was shown to be anything other than a determined attacker, all you’ll have in your
When you consider that the General Data Protection Regulation (GDPR) – and every other regulatory compliance for the matter – was written by lawyers, should we not be able to work out what ‘appropriate’ means for a security program? After all, lawyers have no problem defining the word ‘reasonable’, they even apply it to their fees!
The good news is that the process is not only well known, it’s simple; it’s called Risk Management, and it’s been around for decades.
Now put yourself in the shoes of an auditor after you have been breached. What are they going to
If I was an auditor I’d ask for 5 things up front, as without them I know there is no way you have an appropriate security program in place:
- A mapping of your policies, standard and procedures to whatever security framework you based your on;
- Your risk assessment procedure and the results of the last one conducted;
- Your risk register;
- Your change control procedure; and
- Your incident response procedure.
At this stage, I would care nothing for your technology, or how much you spent on it. A technology purchase outside of a properly defined business need is nothing more than smoke and mirrors. Besides, no regulator has ever tried to qualify how much you spent. It’s up to you to show why you spent what you did, and why you didn’t spend more.
Complying with the
- GDPR is 90% about how you get the data, and what you then do with it when you have it. Anything you spend on security should be justified against the business goals, not a compliance requirement;
- There is no cyber insurance against loss of reputation, this should not be about the money;
- Any security vendor offering “GDPR Compliance” is at best telling you 10% of the story, at worst, is lying to you.
While I agree it may be difficult to sort through the good advice and the crap when it comes to this stuff, there is no excuse for doing nothing. GDPR and every regulation to come will not change the basics, security will be same regardless.
The issue is not regulation, it’s that
Original Source: Froud on Fraud