(this is a repost dated April 2018 from my old blog, which I thought should be preserved as it is still oddly relevant)
Stop it!
I swear, if one more person comes to me and asks me about hashing or encrypting data or putting it in a vault somewhere or whatever, just so they no longer have to comply with GDPR then… then… then my brain will explode on them and then they will end up with a hefty dry cleaning bill to get all that gunk out of their clothes.
StopitStopitStopit!
Let’s establish something now that apparently an entire industry was stood up overnight to imply otherwise and generate massive and utterly unnecessary consulting fees – and I say this as the founder and active principal consultant of a consulting firm that, amongst other things, specializes in GDPR:
GDPR is not a data protection standard.
Read this before you continue. Read it twice, three times, as many times as you need to internalize it. Here, I’ll repeat it for your convenience:
GDPR is not a data protection standard.
GDPR doesn’t care how you protect the data you collect. It’s up to you to determine how to do that. GDPR is not PCI. GDPR is not, for that matter, SOC2, or ISO27001, or any other standard. GDPR is GDPR, is stands on its own.
And it is one of the simplest damn privacy regulations ever created that is also so comprehensive.
(well, OK, maybe that last bit was a bit of creative license. Still, bear with me)
Why do I say this? Because GDPR asks you simple questions. Simple. As in, not complicated. It wants you to answer things like:
“what data are you collecting from end users?”
“why are you doing this?”
“what do you intend to do with this data once you have it?”
“who will you share it with?”
These are not difficult questions to answer. Really, they aren’t. Think of it as a middle-school quiz. Answer them simply and honestly. Then take your free-form answers and send them to a writer with a bit of legal training and have them craft those answers into a privacy policy.
Publish it. Refer users to it when they use your website.
That’s it. You are now compliant with GDPR.
(again a bit of creative license, but essentially, this is the spirit of the rules)
Now keep doing the above into the future. Any of these answers change, make sure you update your internal documents and your privacy policy. Build a mechanism to inform your end users, and seek their approval – but you have that already, because you’d had a privacy policy for years now, haven’t you?
Not too difficult, is it now?
Sure, access rights could be a pain if you have never before thought about needing to, say, remove someone’s data from your systems if they ask you to do so. Fine. Sucks to be you. Honestly, I’m glad GDPR exists to force companies to implement these rather basic privacy rights. These requirements do require technical control design and implementation.
But it still doesn’t tell you how to do it. That’s up to you. Figure it out. Come up with a plan. There is nothing to comply with here, except the end result.
You know what this also means? It means that the entire idea that there is some class of data that, if you just manage to avoid storing it in a reversible manner, you could “escape” your GDPR responsibilities is so utterly bunk that it deserves to be shamed in public square. Tarred and feathered.
So stop asking about it.
You’re not getting out of it, sorry.
But it’s really not that threatening, or difficult, or painful. Those 4% (or 10%) penalties? They are intended for repeat, egregious offenders. Here, let me put it bluntly, because that’s my trademark style: they are intended for Facebook, not you. For now, anyway.
So, don’t be Facebook.
Even so, GDPR isn’t about the technical controls. Stop pretending otherwise!
And yes, I realize all too well that there is literally an army of consultants out there claiming otherwise, vendors selling you technical “solutions for GDPR”… but they have their own motivation (make money off fear), and GDPR right now is awesome for sales (as, admittedly, our own pipeline shows). I also suspect this is one of those cases where if one is a hammer – a technically proficient person who is asked to solve a problem – then everything (including privacy rules that have nothing to do with technical control implementation) looks like a nail. Except in the case of GDPR…
… it’s a banana.
Mark
Thanks for your blog, nice to read. Do not stop.