Are Data Protection Laws Hurting International Business?

[Note: For this blog I’m going to focus on US-based ‘content’ providers (e.g. newspapers) as these folks seem to be the ones hit particularly hard by EU legislation.]

From May 25th 2018, we have all likely encountered at least one of these notices when browsing US-based websites:

Continue reading

Which GRC Tool Do I Recommend for GDPR Compliance?

None.

That’s right, none. Not until you’ve done a LOT of homework first. Even then, the most you’ll get from me are the right questions to ask to move forward, and [eventually] help with your vendor due diligence.

Besides, true security consultants should never ‘recommend‘ a specific technology by name, let alone by vendor. Our job is to provide you options based on a detailed breakdown of the security control function gaps that require filling, which in turn were determined from the results of an appropriate risk management life cycle. i.e. [simplified]:

Continue reading

GDPR: Here Come the Big[ger] Fines

I have made no secret of my distain (bordering on disgust) for anyone using the GDPR’s ‘administrative fines’ to further their own ends. Whether the ends are selling products, services, or column inches, trying to scare organisations into parting with their hard-earned cash is totally unacceptable and I only hope that most of them have failed.

That said, it is clear from Google (€50M), British Airways (€200+M), and Marriott (€110+M) that enormous fines are now a reality for organisations who egregiously break the law. And make no mistake, they ARE breaking the law. A law that enforces one of OUR fundamental human right.

Continue reading
GDPR Fines

Does ISO 27001 Certification Give You Immunity From GDPR Fines?

I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:

  • If you have not read the GDPR: “That would be awesome!”
  • If you have read the GDPR: “Don’t be so bloody stupid.”
Continue reading
Right to Erasure

GDPR: The Right to Erasure Does Not Always Mean Forgotten

The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?

Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.

Continue reading