I was listening to Jenny Radcliffe interviewing Sarah Clarke on The Human Factor podcast the other day. (If you haven’t tuned in to this podcast, you are definitely missing out on a magnificently entertaining and educational experience!)
Sarah made an accurate observation about what would happen after the May 25th deadline for GDPR compliance. She said that she was concerned that many folks would lapse into a bit of complacency after the deadline passed. That is not a direct quotation, but the sentiment is the same. The GDPR contains strategic goals, not just tactical approaches to the future.
I have already witnessed how some folks who are on the front lines of infosec are not only ill-advised about the regulation but are also not as well-versed in the regulation as they should be. This is dangerous considering that we are to be part of the process that is supposed to support this far-reaching regulation.
I was on a recent phone call with a pentest vendor who was telling me that the GDPR “absolutely requires” penetration tests on all networks. A quick search of the GDPR for the word “pen” turns up some very useful information, such as the words indePENdent, dePENding, and PENalty but, alas, nothing about a penetration test.
In the vendor’s defense, Article 32 in Section 2 states, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security approppriate to the risk, including . . . a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
One could loosely interpret that to indicate penetration testing, but it could also be interpreted more strongly as speaking towards an audit mindset.
I wondered what could be causing this problem, and as I asked around, it seems that most folks have obtained their GDPR knowledge from webcasts, infographics, conferences, and other advisory sources. In a court of law, this second-hand knowledge would fall victim to what is known as the “hearsay rule,” meaning that the witness is making an utterance of a fact not experienced first-hand.
We are all familiar with the pitfalls of hearing something other than the original message. The distortions lead to altered ”facts.”
The GDPR is a beast of a regulation, and in some cases, it is seemingly unintelligible. Take my favorite section of the text, which occurs early-on (at paragraph 37 of the preamble). It reads:
“A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, . . .”
Sounds like something out of a Monty Python script.
However, as seemingly difficult as this language may be, the regulation begins to flow in a more coherent fashion as you dive deeper into it.
The best tip that I can offer to any infosec person about GDPR is to make a large cup of tea (a really large cup), sit down, and read the regulation. All the informational articles (like this one) and other reference sources are excellent supplemental material, but don’t rely on those for a deep understanding of the regulation. That is like using the Spark Notes to get through The Odyssey, and then wondering why you don’t feel the spray of sea air when recalling various parts.
A word of caution though, don’t expect to finish it in any short amount of time. However, like The Odyssey, or any great classic, the reward of doing so far outweighs the effort.
We are all in this one together, for the long term.