If you’re fairly new to this ‘privacy stuff’, you might be wondering why I used the phrase ‘data privacy’, not ‘data protection’. Well, unlike the security industry where we can’t even agree on when to use ‘cybersecurity’, ‘data security’, or ‘information security’, the privacy world has its act together. Hell, security folk can’t even agree on the spelling OF cybersecurity/cyber security!
But for the purposes of this blog, and the Part 2 guest blog to follow, it’s important that you accept my definitions at least, whether you agree with the names or not. It’s the points I’m trying to make that matter, not the nomenclature.
No, this is not a political statement, though I couldn’t resist a play on words that also takes a poke at nationalist imbeciles on both sides of the Atlantic.
Instead, this is about the UK’s pending/potential/who-the-hell-knows-when/if exit from the EU and its effects on international transfers of personal data to/from the UK to/from the EU. Amazingly this is still confusing to a significant portion of the population, if they have even looked into it at all. You must understand that unless you have absolutely no intention of doing business whatsoever with your soon-to-be-ex EU counterparts, it’s the UK businesses that will need to be pro-active. Well, pro-active was three years ago, but you simply must make it easy for EU-based businesses to work with you regardless of the Brexit result.
I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.
The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.
I have made no secret of my distain for the ‘GDPR Practitioner Certification‘ badge, and I still have no time for it, or its recipients who pass it off as real-world experience. But what alternatives are there if you want to obtain some form of data protection certification / privacy education?
The de facto standard, and really the only player in town, is the International Association of Privacy Professionals (IAPP), and their flagship badge, the Certified Information Privacy Professional (CIPP), is the most widely recognised and respected acronym you can add to your CV/resume. It’s the equivalent of the CISSP for those of us in the cybersecurity industry.