I just attended the SecureWorld Conference in Seattle, where one of the major topics was the General Data Protection Regulation, or GDPR.
I’ve been tracking this regulation for some time and working on it for a while, so when I realized the majority of my fellow attendees had no idea what it was, I was kind of surprised.
I was even more surprised when I realized they didn’t like it. Much of the commentary from infosec folks centered on the difficulty of complying with the regulation, with many questions about possible shortcuts from existing efforts.
Could PCI be extended to cover it? What’s with all these reporting requirements – how can they be avoided?
What’s the easiest way to check the box?
The thing is, I think these perspectives and questions are getting it all wrong. The GDPR is a fantastic win for us, both as consumers and as information security professionals, and I really hope you’ll join me in drinking the Kool-Aid on this one. Here’s why.
First, when most people first encounter GDPR they see the size of it (several hundred pages of dense text) and immediately try to TL;DR out of the thing. Most of the summaries focus on the things businesses need to do to comply, and if you’re focusing on it from the nuts and bolts compliance perspective it’s a huge, unwieldy beast.
But there’s a better way to summarize it in just a few sentences:

Personally identifiable information (PII) belongs to the person it identifies, period. They get to decide what to do with it. And companies aren’t allowed to be a dick about it.

That’s it.
So, all those compliance steps? They’re not really that big of a problem if you think about it in those terms. Implementing it for the first time can be a problem, yes, especially if the company in question has been cavalier about the collection and use of personal information in the past (and let’s face it – they have been).
But in one stroke, the European Union has handed the information security industry the opportunity to fix a whole slate of wrongs with the use of personal information, to improve our companies’ processes and environments in ways that materially improve their security postures, and to let someone else (the EU) take the lumps for it – “It’s not me, boss, it’s the EU”.
Here, in five steps, is how you can do all of that, comply with the GDPR, and still be a hero to your employers.

  1. Figure out where the PII is in your organization.Talk to every department, search all of your databases, hunt it down. This is the hardest part, but remember this – if the data is important, your business should know about it anyway.
  2. Figure out what your business does with the data and how valuable it is. Establish with your business owners a threshold for value: at what point is the information important enough to keep around, and how much of it are you keeping just because that’s what you’ve always done?
    Seriously, we talk about customer data as this hugely valuable asset, but… our customers don’t like it when we keep it, they hate it when we lose it, and more than half the time we never do anything with it anyway.
    So if you’re not going to use it and it’s going to cost time and effort to include it in compliance efforts… just get rid of it.
  3. The information you do need to keep – how are you storing it? How is it secured? Now that you’ve got your arms around what it is and why you need it, including an assessment of its value, it’s a lot easier to make sure it’s being protected properly.
    Long term, I like the idea of a central PII data store that grants extremely selective access to applications and business units and uses the role of the Data Protection Officer (DPO) as a gatekeeper function for said access.
    Short term, you’ll need to break that up according to where the data’s stored and how it’s accessed, but one step at a time, yeah?
  4. Time for some communications campaigns.Now you know what data you have, why you need it, and what you’re doing with it, tell everybody who needs to know.
    1. The first to your employees, all of them.Outline the above, especially the changes in what information your company wants to keep and use, and why it’s important – you don’t want someone in Marketing deciding to start tracking customer contacts in Excel.
    2. The second to your customers, explaining the changes you’re making, how they benefit, and how they can have their information removed from your systems.
      Your marketing and sales people should love this. Reaching out to all your customers with a message detailing how you’re making them happier? If they can’t score some wins from that, they’re in the wrong field.
    3. Finally to your security and IT help desk folks, development teams, and so on, ensuring they know that from now on, personal data is part of your company’s crown jewels and establishing processes and standards for data collection, handling, and use.
  5. Now, you need to create your Article 30 compliance reports.And it’ll be easy because all it does is document who’s responsible for the personal information you collect, that you’re internally clear on how and where data is stored and processed, and some process information about those items. Easy, because you’ve already done all of that in the earlier steps.

I know change is not always our favorite thing. And compliance is often the bogeyman we use to scare new helpdesk folks into following rules. But this time we get to make the world better, we get to make our organizations more secure, and we get to look good doing it.
Seriously, how is this not the greatest thing since single malt?