You have to ask the right questions
I have lost count of the number of times I have included phrases like; “
.” into my blogs, or into conversations with prospective clients. One of my primary roles as
a consultant is to to either help my clients do just that, or to give them the right answers first
if they are just too far behind the curve.
This is very easy in security, the ‘basics’ have not changed for generations, nor will they ever. So, for example, the question is never
; “What technology do I need?”, it’s; “What function
does the risk assessment say
But when it comes to GDPR, asking the right questions involves a significant amount of research and homework. Not only do you actually have to read
the damned thing several times yourself
, you have to understand it enough
to apply it to your unique requirements. You have to be able to take the next step or nothing will happen.
The title should actually be more in question form; Did you
that there’s even a difference between being erased and being forgotten?
Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)
“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already
calling it that. But it’s just not accurate …enough.
The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past
.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid
your ‘debt to society’ but it will haunt you for the rest of your days.
BA faces record £500M fine for data breach!
Just about every major news outlet in the UK has the same headline for the BA data breach: “
“. Some are not content with even this
degree of utter nonsense and are actually making things worse by saying that affected passengers are now “threatening boycott
I can only assume these morons are short-selling BA stock in order to cash in on their otherwise total journalistic ignorance and complete lack of integrity.
I was personally affected by the breach, and I can assure you I will not be giving my business to Easy Jet as a result.
Yes, I am pissed off. Here’s why: Continue reading
“Certified” GDPR Practitioner
I have made no secret of my distain for organisations and individuals who consider themselves qualified to determine their client’s lawful basis for processing without having the necessary education or experience to do so. Just reading the GDPR a few times and doing some homework (like me), or taking the
course (or equivalent), does NOT qualify you to talk legal matters with anyone. Don’t try.
On the other hand, a privacy lawyer (or equivalent subject matter expert) is just
as likely to be spectacularly unqualified to get
the information required to make
the legal determinations in the first place. It is even more unlikely that they can manage the project from start to finish. Even if they could, there’s no way they’d be available, or affordable.
So what you end up with is either someone(s) who can only get you most of the way, or someone(s) only able to take you over the finish line.
I finally figured out why this blog was so damned difficult [for me] to write; I’ve been thinking all wrong about what exactly a DPO actually is. Which is odd, because I had the exact same challenge when writing about CSO/CISOs, and I really should have learned from my mistake.
When you think about a CISO (assume this also means CSO), or a DPO, you instantly picture a person. Maybe your organisation already has one so their face springs to mind, or if not, you have a indistinct and faceless image of someone in a suit. The fact is, neither the CISO nor the DPO are people, they are functions. Multiple functions in fact.
And not only that, they involve multiple disciplines, skill-sets, even personal preferences. Most importantly, neither the CISO nor the DPO functions [performed correctly] are ever a single person. A DPO would, quite literally, have to be an expert in privacy law (both EU and national), contracts, risk management, policy development, distribution and audit, and understand all personal data flows throughout the business.
You therefore need to break the function down before you can move forward. For example; I broke the CISO function down into 3 distinct skill-sets/phases: Continue reading