06 Nov GDPR – The good, the bad and the ugly
At a recent reseller event organised by CRN I described GDPR in the terms above and in reflecting back I still feel comfortable in this assessment.
The good is the amount of focus information security is getting as a result of the impending new legislation.
There is a slight sense of frustration that in some areas it requires such a change to get security moved to the top of the agenda but this seems to be trait that has dogged security for some time. It shouldn’t take the Wannacry virus to get operating systems to be patched or updated but an attitude of it won’t happen to me still seems to be pervasive.
Hopefully, a continued focus will agitate things to get done, but it doesn’t change the fact that information security existed before GDPR, is part of how to address GDPR and will need to exist in a future well after GDPR
The bad is the amount of time spent with lawyers. So I know lawyer bashing in most circles makes for crowd pleasing rhetoric but there is no escaping that GDPR is a piece of legislation and therefore needs the expertise (and associated cost) of the legal profession.
IT normally looks at a problem and applies a solution. You simply can’t do this to a legal issue, it is a moving target that uses principles such as having a defensible position. This is why it is a combination of line of business skills that will need to take ownership of GDPR and it really shouldn’t be dumped on an IT team.
The ugly is the ridiculous hype cycle that we are hopefully coming to the end of. The amount of misinformation and cheap sales pitches that suggested you should spend budget on point solutions to avoid being fined millions of pounds.
It has been an embarrassment that our whole industry must bear, but I am pleased that this nonsense is on the wane and we can start getting down to the practicality of what needs to be done. The Information Commissioners Office is getting out realistic positions on what is required, although the detail is still lacking in a number of areas.
What can be achieved is having a strong understanding of what data you have, how it is collected and where it is stored. Armed with these measures you can be assessed to see what will help on the journey to compliance. No panic is required and doing nothing is not an option, but there is a middle ground that rightly exposes rampant opportunism for what it is.
I’m sure there will be many conversations to come and I look forward to having them with you and focusing on the good at the expense of the bad and the ugly.