GDPR: How Much Compliance is Enough?

I was asked the equivalent of the subject question the other day, and realised that perhaps the demonstration of compliance is not quite as obvious as I have made it out to be in previous blogs.

And by ‘obvious’ I don’t mean ‘simple’, because this has always been simple.

The word ‘appropriate‘ appears 115 times in the GDPR final text, and the word ‘reasonable‘ a further 23, but if you don’t know how to define those things in relation to compliance for your organisation, how do you know when you’ve done enough? Or too much? The balance is as important to your business as compliance itself.

Continue reading

On the Convergence of Data Privacy and Data Security – Part 2

In Part 1 of this two-part blog ‘series’, I played the part of a security expert (which I do most days), and examined how privacy is changing the face of the security industry.

In Part 2, I have enlisted the help of a lawyer, data protection and contracts expert, who is basically to blame for me getting into this ‘privacy stuff’ in the first place. She also happens to be my sister; Angela Boswell.

In her learned (and earned!) opinion……………………

Continue reading

On the Convergence of Data Privacy and Data Security – Part 1

If you’re fairly new to this ‘privacy stuff’, you might be wondering why I used the phrase ‘data privacy’, not ‘data protection’. Well, unlike the security industry where we can’t even agree on when to use ‘cybersecurity’, ‘data security’, or ‘information security’, the privacy world has its act together. Hell, security folk can’t even agree on the spelling OF cybersecurity/cyber security!

But for the purposes of this blog, and the Part 2 guest blog to follow, it’s important that you accept my definitions at least, whether you agree with the names or not. It’s the points I’m trying to make that matter, not the nomenclature.

Continue reading

The Rise of the Breach Response Specialist

It was not that long ago that the most senior security incumbent at the time of a data breach was not only fired ignominiously, but torn to shreds by his/her ‘peers’ as being anything from unqualified, to incompetent, to grossly negligent.

They became nothing short of pariahs.

The vestiges of this ridiculous practice are still rife (take BA for example), but things are changing, and we all have a Recital to thank for it:

Continue reading

Making Britain ‘Adequate’ Again

No, this is not a political statement, though I couldn’t resist a play on words that also takes a poke at nationalist imbeciles on both sides of the Atlantic.

Instead, this is about the UK’s pending/potential/who-the-hell-knows-when/if exit from the EU and its effects on international transfers of personal data to/from the UK to/from the EU. Amazingly this is still confusing to a significant portion of the population, if they have even looked into it at all. You must understand that unless you have absolutely no intention of doing business whatsoever with your soon-to-be-ex EU counterparts, it’s the UK businesses that will need to be pro-active. Well, pro-active was three years ago, but you simply must make it easy for EU-based businesses to work with you regardless of the Brexit result.

Continue reading