The General Data Protection Regulation (GDPR) is upon us and across the globe we’re seeing a flurry of activity. But will any of it make a difference? Will data start being better protected? The EU certainly thinks so, but only time will tell.
As with any regulatory regime, we have the question of compliance versus protection, and whether one delivers the other. Generally this is not the case, as seen by the myriad of PCI certified organisations that suffer data breaches. Being compliant rarely makes you secure.
But if we distance ourselves from what the EU wants and focus on what we want, it’s time for some deep self-reflection and a bucket full of honesty. Is compliance your goal? Is data protection your goal? Is staying under the radar of the authorities and doing nothing your goal? Every business will say they want to comply, protect data and be privacy conscious, but is that really true?
If your business is dependent on mining, sharing and selling data then it’s impossible to be privacy focused. And this is a real problem.
Privicy By Default
The GDPR demands that privacy be enabled and implemented into systems by default. But the question every designer, architect, marketer or developer is asking is, “how much privacy?” I see this frustration every day as systems are being built, modified and fixed to meet the GDPR requirements. People just don’t have a direction. And this is especially evident with Project Managers trying to assess the scale of the task ahead. Is this a “bare minimum” or a “no expense spared” piece of work? The upshot is that companies deliver inconsistent levels of data protection which rarely align with a business strategy. This never ends well.
So the question I give to every CEO and CISO is, (Read more...)
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Carl Gottlieb. Read the original post at: https://threatvector.cylance.com/en_us/home/the-data-protection-mission.html