Are Data Protection Laws Hurting International Business?

[Note: For this blog I’m going to focus on US-based ‘content’ providers (e.g. newspapers) as these folks seem to be the ones hit particularly hard by EU legislation.]

From May 25th 2018, we have all likely encountered at least one of these notices when browsing US-based websites:

Continue reading

GDPR: What To Expect When You’re Breached

You’ll notice I said ‘when’, not if, because if you have personal data online you will, eventually, be breached in some way.

I know this because the GDPR’s definition of ‘personal data breach‘ (Art. 4(12)) does not just mean ‘hacked by a bad guy’, it means: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This therefore includes every unauthorised action that happens to the data, including the inevitability of human error. Nothing malicious, just a simple mistake, but it’s still a breach.

Continue reading

Which GRC Tool Do I Recommend for GDPR Compliance?

None.

That’s right, none. Not until you’ve done a LOT of homework first. Even then, the most you’ll get from me are the right questions to ask to move forward, and [eventually] help with your vendor due diligence.

Besides, true security consultants should never ‘recommend‘ a specific technology by name, let alone by vendor. Our job is to provide you options based on a detailed breakdown of the security control function gaps that require filling, which in turn were determined from the results of an appropriate risk management life cycle. i.e. [simplified]:

Continue reading

Why the BA Fine Was So High, and What YOU Can Do To Avoid the Same

I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.

The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.

Continue reading

[SELF-PROMOTION] New Core Concept Security Website

After 6 years of faffing around, my Core Concept Security website is finally up and running! Click (https://coreconceptsecurity.com).

Core Concept Security

It’s very basic, so I should be grateful for your comments / suggestions on improvement.

Many thanks,

David