- 2017, August 30, The Washington Times, “Legislation to limit smartphone encryption ‘may be necessary,’ deputy AG Rosenstein says” — Crypto Wars 2.0!
- 2017, August 30, SSRN, “Smart Devices and Criminal Investigations: Protecting Suspects’ Privacy and Fourth Amendment Rights“
- 2017, August 30, SSRN, “PRC’s New Data Export Rules: ‘Adequacy with Chinese Characteristics’?“
- 2017, August 30, SSRN, “The Regulation of Data Flows Through Trade Agreements“
- 2017, August 30, CSO, “Biometrics and blockchains: Why identity matters (part 1)“
- 2017, August 28, arXiv – 1708.08510, “Most Websites Don’t Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security“
- 2017, August 10, arXiv – 1708.08749, “Blockchain: A Graph Primer“
The GDPR Challenge
I posted a whimsical checklist for managing GDPR compliance on LinkedIn yesterday. It generated a bit of discussion – which is great!
I posted it after thinking about what it would take to get a handle on an organisation’s data. This is not a simple process – and I know it can’t be distilled down to a checklist!
However, even though it is complex, I think there needs to be a clearer pathway toward compliance. My suggested entry-point is to shine a light on data. Some people in the LinkedIn discussion believe that business objectives come first, but I’m not so sure in this instance.
Generally, I would agree that business objectives are the first consideration, and that technology supports those objectives. But in the case of GDPR compliance (or trying to implement good data governance), I think the priority is the data: What data is collected in the organisation? Where is that data stored, and in what format? Who has access (and who should have access) to the data? How does the existing data collection and storage map to core business processes? And finally, how will this all be monitored?
I don’t think it is necessary to consider the ‘why’ of the business in this case. Or, to put it differently, if you haven’t already covered off the ‘why’ and know why you are in business, then complying with GDPR or having a good data governance program is redundant! You may as well shut the business down and not even get to this point. So, my assumption is that your business is a viable going concern and you have a good business strategy in place. If not – do that first!
If you are comfortable with why you are in business and there is nothing pressing to address in that space, then I think your focus should turn to data.
Get full visibility of the data. And I don’t mean limit this to knowing where the personal or sensitive data is – know it ALL! Now, I don’t pretend that this is an easy process or that it will be a quick process, but I do say that it is essential to good business practice.
Because inevitably processes go stale. It is extremely likely you are collecting data you don’t need, and that staff have access to data they have no need for.
So, indirectly, I am saying that this focus on the data achieves the dual purpose of reviewing your security status.
A key reason for GDPR et al is to enforce good data hygiene. Regulators want to promote innovation and business by satisfying the understandable consumer anxiety about what happens with their data every time they transact either online or offline. Security of data is as important as privacy. Moreover, privacy of data is a sub-set of security.
And if you intend to secure your data then you need complete visibility of it.
If a customer wants to rectify their data with you then you need to start with answering the questions above. Only if you know where the data is and how to manage it can you meet something like GDPR.