Here we go again. A regulation or standard gets released and suddenly everyone’s an expert, every vendor has a solution or silver-bullet technology, and hundreds upon hundreds of organisations spend a fortune on something they were far better off doing themselves.
It happened with PCI, SoX, and a plethora of other smaller or more region/sector specific regulations, and now it’s happening to GDPR. All because most of us are just too bloody lazy to do a little bit of homework to find a real expert.
Or in a lot of cases, too lazy to even read the damned standard! Yes, it’s dull, but it’s not that difficult to decipher to the point you can ask a few intelligent questions.
But the real problem stems from the fact that most people don’t even know what privacy is. Personally, I am not an expert in privacy, I’m an expert in cybersecurity. If you think those two things are the same, or even very similar, you are already way off the mark. Yes, there is an overlap, but only in so far as a data breach can possibly lead to a loss in privacy.
But that’s the point, it’s only a possibility. Just because someone stole your data, does not mean they’re going to use it against you.
To summarise in a very general way:
Security = Preventing unauthorised ACCESS to your data; and
Privacy = Preventing unauthorised USE of your data.
It’s because this distinction is universally misunderstood, cybersecurity vendors are often the first ones organisations turn to. However, instead of steering these poor deluded fools in the RIGHT direction, vendors sell them what they asked for. What they got, and are still getting, is a fraction of what’s required. 3.34% to be exact.
I’m not saying a security expert cannot be a privacy expert as well. I’m also not saying that every vendor lacks integrity. But I am saying you’re the one blame if you end up with a muppet.
So How DO You Spot the Charlatans
Actually it’s rather easy, they use phrases like:
- Avoid hefty fines by ensuring you’re GDPR compliant!;
- Time is running out, save your business!;
- Ask our security experts how to [enter rest of lie here];
- They claim that ISO 27001 can cover the entirety of the regulation;
- Any combination of words that includes “GDPR compliance” or “GDPR certification”;
- Any sales pitch or article that leads with possible fines (unless it’s to put down those that try).
…or they are:
- Regular cybersecurity vendors;
- Any vendor selling ‘GDPR software’;
- A recent Certified General Data Protection Regulation (GDPR) Practitioner (and has no other privacy experience);
- Anyone with CISSP, CISA, CISM, CRISC etc. emblazoned on their LinkedIn profiles (and has no other privacy experience);
- NOT A PRIVACY EXPERT!
Finding a real expert is not that difficult, you just have to look for people who have been doing privacy stuff for a long time. These people do not HAVE to be privacy lawyers, but it certainly helps. And while there will be a whole swarms of scum-bag lawyers chasing the GDPR ambulance, there are a lot of good ones out there anxious to help. My own sister is one.
On the positive side, look for things like this instead. These were bullet points taken from a free seminar that I have actually signed up for:
- Understand the implications of the GDPR on your business-critical processes;
- Learn how to prepare for the implementation of the GDPR;
- Gain invaluable instruction and insight on the regulation and how to comply;
- Discover the security solutions that can help to mitigate risks and assist in meeting your security obligations under the GDPR
This is the kind of education I can get behind. I really hope it’s not a well disguised sales pitch…
[If you liked this article, please share! Want more like it, subscribe!]