Follow Island in the Net on WordPress.com

GDPR : Devil in the Details

GDPR: A Compliance Quagmire, for Now by Tara Seals

There’s also a grey area around accountability and proof of data-handling compliance. “The GDPR requires that you can show evidence that you’ve received a request and taken action in an appropriate timeframe,” Klassen explained.

And that, he explained, carries its own set of new privacy considerations, many of which will be challenging for U.S. companies looking to comply with the regulation.

“It gets tricky,” he said. “When an individual makes a request, the company has the right to ask for proof of identity, because after all, that could be catastrophic if they erase the wrong person’s information or return a different person’s information. So for instance, Google requires you to take a picture of your passport—then the question becomes whether you’re giving them information that’s more sensitive than the data you’re looking to access.”

Further, companies can’t erase that proof of ID.

“A data subject can say, that wasn’t me, prove that it was,” Klassen explained. “So if they don’t have that proof, they’re in trouble.”

Ugh! My head hurts thinking through all the technical problems created by this piece of legislation that was most likely created by lawyers and bureaucrats without an understanding of technology or process. I can't even get a straight answer as to whether my simple blog needs to be compliant nor can I afford to pay a lawyer to answer that question. And even if I needed to be compliant, I am certain it would have a financial impact on my ability to operate this website.

You're a photographer in an E.U. member country. You snap a photo of someone or group of people in public or at an event. You get signed content to use the image for news reporting or your website. The image is published in a newspaper/magazine/website. One of the people in the image later object to its use and wants the image removed. What do the photographer and publisher do? How do you recall and destroy all copies of the newspaper or magazine? How do you ensure that the online image has not been downloaded and copied elsewhere by people /entities you have no control over?

Policing Each Other

The genius of GDPR is that it forces companies to police each other – Quartz

It’s the large data controllers—the companies responsible for safeguarding the data—who will drive enforcement by requiring that their data processors become compliant and cutting them off if they don’t, McGarr notes. Under GDPR, small companies not only face the financial stress of being compliant, but they will now find themselves competing with their peers for the business of large corporations based on how compliant they are. “Short term, this is a shocking competitive advantage,” said McGarr.

Aaron Tantleff, a cybersecurity expert at law firm Foley & Lardner, said: “Clearly, the drafters of the GDPR realized that by wielding such a large stick, they would be able to force companies into compliance out of fear.”

“Those who are thinking about misbehaving will find themselves with greater liability under the GDPR,” Tantleff said. “Despite the under-funded or under-resourced nature of the supervisory authorities, I do not see those entities letting companies skate by.”

PCI DSS & GDPR Compliance Event with (ISC)2 New Jersey Chapter

Attending Regulatory Compliance - PCI & GDPR - Are You Ready?

Agenda

5:30-6:00 Networking / sandwiches

6:00-6:10 Chapter Update

6:15-7:15 GDPR - Will We Make the Finish Line? Mike Money, Protiviti - Global Data Privacy Regulations becomes fully enforceable on May 25, 2018. Have you implemented the right to be forgotten? Should you?

7:15-8:15 PCI's New Guidance on Cloud Security, Protiviti - Details to folow

PCI DSS & GDPR Compliance Event with (ISC)2 New Jersey Chapter

Attending Regulatory Compliance - PCI & GDPR - Are You Ready?

Agenda

5:30-6:00 Networking / sandwiches

6:00-6:10 Chapter Update

6:15-7:15 GDPR - Will We Make the Finish Line? Mike Money, Protiviti - Global Data Privacy Regulations becomes fully enforceable on May 25, 2018. Have you implemented the right to be forgotten? Should you?

7:15-8:15 PCI's New Guidance on Cloud Security, Protiviti - Details to folow

I would love to catch up with the folks in the New Jersey Chapter of the ISC2 and I have a special interest in the GDPR. I'm not sure if I'll be working in Manhattan or New Jersey that week. My attendance at the event is dependent on that.