Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning. How's everybody doing today? Hopefully you are not freaking out because on Friday, the E U's GDPR or the general data protection regulation comes into full effect. Now, there's been an absolute avalanche of information marketing material. Um a little bit of misunderstanding, some great pieces, just a mix of everything you could think of coming out around GDPR.
Let me just adjust this a bit. There we go. We're good. Yeah, and that's OK. It's OK that there's a lot of sort of swirl around there because to be honest, we're not sure what the implications or at least the sort of second order effects of GDPR will be in a nutshell.
GDPR is the one data protection regulation for all of the EU and the goal was to unify the various member states um different initiatives under one stricter stronger regulation that essentially is trying to put um the control of your data back in your hands. Um It's getting uh organizations to take information security, uh security and data privacy seriously.
Um And the way it does that is with a very big stick, very, very big. So this is the first time we've seen fines um on this order uh in any jurisdiction around the world for GDPR, the big one you're gonna hear a lot of the time is 4% of your global annual turnover.
So basically 4% of your gross um as a potential fine. Now that fine is only if you've been found grossly negligent in building out your security um posture. So again, I'm not a lawyer thankfully in this case. Um but that's basically the gist is if you are grossly negligent and you know, essentially leave everything wide open and have no process, no protections, you could be fined up to 4% in the event of a breach or an issue.
Far more common is a 2% of annual gross or annual take uh turnover um for failure to notify about a data breach. This is what should have most organizations sort of on their tippy toes running around trying to figure out um what they need to do because part of GDPR is, you know, implementing the right to be gotten, it's implementing um the ability for you to change and um understand what type of uh data an organization is um collecting on you.
Um Which is why you've seen this avalanche of emails in your inbox over the last month saying we're updating our terms and conditions, we're updating our privacy policy because they're all trying to get ready for GDPR. Some companies are adjusting what they keep, which is a good approach.
Others are trying to get you to waive your rights, which is never going to happen. Um And there's a, there's a sort of a mixed bag there as well because the challenge is until this gets um implemented until this is in effect. And a few people actually um are taking to task for GDPR failures.
We're not really sure what the actual implications are because technically, as far as I've read it and studied it and talked to it to a few folks, anything that contains data about a uh eu citizen uh or resi someone residing in the eu um falls under this regulation.
That's the, the uh attempt, right? Whether that works multijurisdictional, we'll see. But essentially, if you hold any piece of personally identifiable information, which includes the email address, you need to adhere to this regulation. Now, I don't know about you, but when we collect, uh when you collect an email address, you don't know where that person resides.
So essentially, you have to treat everything as a potential European citizen or resident. Um which unless you're gonna ask them up front, you know, give us your email and check here if you're in the eu um so it could apply globally, which is interesting because this is a very much the geopolitical world running into the digital world sort of head on, right?
And we're not sure what's gonna happen. Um But at the end of the day as an infosec security professional. I love GDPR because it's a wake up call for a lot of people. It's an, um, it's bringing this to a high enough level with those fines that it's a true business issue.
It skews that risk map much better in the favor of individual privacy and control. Um, and I think that's a very positive thing because there's nothing in GDPR that should shock anybody, um, around how to treat personal information, how to handle it. Yes, it's more stringent, but this is what we all should have been striving for in the first place.
This is not, you know, this is an attempt to bring in the wild West of, oh, we're collecting everything everywhere. So there's going to be a ton of nuance, there's going to be a ton of fallout. It is going to be absolutely fascinating to see what the first case brought by the regular regulatory bodies in the eu um what that first case is, um what the, uh the fine points are and really, you know, you can write legislation or regulation and then it needs to be implemented and run through the courts a few times, run through the judiciary to see really what it means.
Um But overall from a security professional perspective, I think GDPR is wonderful. It forces businesses through a big enough fine to um treat data with a level of respect to understand the trust that users are putting in you to collect and hold that data and none of the, uh, it's not prescriptive as far as thou must implement, uh, firewall, thou must implement injuries and prevention.
It is a well written regulation that says you need a strong it security posture, you need to manage risk, you need process. So none of this stuff should shock or surprise anybody. So, um, it will, unfortunately just the reality of what it is, but I would look at GDPR as a great learning opportunity.
It's a great educational opportunity for security teams to be out there, talking to the rest of the business to help them understand how to handle data. Your users have trusted you with their, with their data. It is incumbent on you to protect it and to do your best to ensure that they still have control of that data.
So GDP power is that in a nutshell, it gets implemented on Friday the 25th. Um So we're gonna see what happens. I'm gonna be uh stuck to the uh internet in one way, shape or form, whether, you know, getting a lot of alerts from different sources to see um who's up first because that's gonna really define the tone, I think for GDPR.
Um And we'll see what happens. What do you think? Let me know, hit me up online, marknca uh comments down below. Um It's a fascinating time. We'll see how this goes. How many questions I would love to know from you guys. What is the top question you've been asked about GDPR?
Is the business even asking? But if they are, what bus, what question are they asking specifically? Um Let us know. Let's let's share some answers. Let's share some questions. I hope you guys are all set up for a fantastic Tuesday. I will talk to you online and tomorrow.
