The EU General Data Protection Act (GDPR) comes into effect on the 25th May 2018, a little over a year from the time I’m publishing this article. Hot topics in information security pass with the tides and I’ve ridden the troughs and the waves for many a year. For some reason though, the GDPR buzzword seems to have split our normally friendly community.
Sure, it’s a new specialism, but please don’t tar anyone who is trying to gain a GDPR post as ‘band-wagoning’. When any law changes, there is always a demand for the best people to help transition from old to new. The new EU GDPR is no different in that respect. We’ve already known for nearly 2 years what changes are in the pipeline. There are also loads of people who are Data Protection experts who have been trying to get funding and organisational buy-in for GDPR projects.
Is there such a thing as a GDPR expert?
Without the GDPR being in effect, businesses are still completing their rectification programmes and the first test cases will need to go through the courts. Until then, no one is going to be a ‘GDPR expert’. That said, a real information security / data expert will take the time and effort to gain a certification in the GDPR. They are the people who want to make sure your business is best prepared for the change in law. These consultants have read the subject matter provided by the enforcement bodies, they have understood it and can interpret it to businesses. They have taken exams accredited by international bodies to verify that they know this subject. They are ‘Certified in the EU GDPR’ and combined with security experience will be in the best position to assist your organisation.
I’m calling today from XYZ agency….
And this is what is splitting our friendly community. Agencies can be great people doing a thankless task. Cold calling companies trying to find where they can place people and being cold called from staff trying to find their next post. Companies are saying that they need a GDPR expert pronto, starting tomorrow and in post for the next 18 months. They don’t understand it, but are getting the pressure from the board to ensure that the risk is covered off. Find me ‘someone’ who can own this for them. Create an advert for a GDPR expert and let’s see who applies – use the Job Description from one of the other security roles we used previously.
Recruiting managers are intelligent. They know that if someone is declaring themselves as being a GDPR expert, then the CV probably should probably be used as fertilizer for roses or rhubarb. But sometimes between the person, the agency and the recruiter a message can be changed. Has the person said that they are an expert, or have they said something slightly different?
GDPR is a specialism, a skill and even a buzzword. People put it in their applications and on their CV to ensure that they get pattern matched. Unless they can get matched electronically, their CV won’t even progress to ever being read by a human.
Don’t blame people for putting ‘GDPR’ on to their CV, but if you are hunting for an real expert then include ‘Certified in’ within your search criteria . You’ll then find fewer matches and can spend time reading the content of the CV’s. Then you’ll be able to find your security experts who have had recent and comparable experience in other projects.
What about ‘Information Security’ experts?
The GDPR maybe a new regulation, but the principles behind it are what every good information security practitioner has ever preached. It’s still the same basic data security message we have always conveyed
- Don’t collect and hoard personal data unless you can verify it is legally necessary to do so.
- Be transparent with the owners of the data
- Make sure you can prove that you have their consent to use it in your specific manner
- Make sure that you have adequate security controls in place.
Follow information security good practice guidelines then it’s likely that you’re going to have too much of a problem. You are still going to have to work out what you are going to do about the GDPR.
So what next ?
Well the clock is ticking, time is indeed running out. If you are in a regulated industry then time is probably shorter still. There are some very good approaches to the GDPR problem. The first is to get a grip on what ‘today’ looks like. If you already have a GDPR project, does it have a plan and is that plan funded and resourced?
Then you just need a bunch of ‘GDPR experts’….
Infosec maturity huff and puff
Once upon a time there were three little Infosec guys. They used to sit down and huff...