ULYSSES, THE SIRENS AND KNOWLEDGE

By | Sunday February 4th, 2018

“He only ordered me to hear that song, but you, with very close bonds,                                                                                 must bind me, so that I stand still,                                                                                                                                           standing on the mainmast, to this the ropes strike me”

Omero

“Consider ye the seed from which ye sprang;
Ye were not made to live like unto brutes,
But for pursuit of virtue and of knowledge”

Dante

GDPR is considered by the consultancy, software and applications developers as the business of the hour.
Because of the lack of fund, Public Sector and companies had to invest wisely and nobody wants to give up on it.

So, in a similar situation, the wheeler-dealer type of salesman present themselves like sirens with great solutions.

The most trendy message sounds like “if you join our solution you’re GDPR compliant”.

In most cases, the message is as realistic as it is incomplete and lacking.

I.E. If an antivirus producer says “if you join our solution you will be privacy compliant” he says right. Indeed is the Annex B of Italian Privacy law that imposes the use of an antivirus as minimal security requirement.

So, what the message doesn’t seem to say, is that the perfect compliance with GDPR is hard to achieve. There are other 26 minimal security requirements ( prosecuted by criminal law) that you have to implement, jointly to ten or hundreds tasks (depending on the size or kind of data processing) to fulfill in order to be compliant with Italian privacy law.

And it’s not vendors at all. They try to do their job and endorse their products.

Probably, It might be a good idea for them to inform the customer that their products cover specific GDPR security requirements.

The real problem is the lack of awareness about the set up of GDPR compliance program when we are a few months away from the coming into force of EU Regulation, and probably only heavy penalties imposed, will let Controller aware about their distance to real compliance

On the other hand, the wheeler-dealer type of salesman will benefit from this guilty lack of awareness ( cf. my post PRIVACY LAWS) by making compliance requirements not covered by the regulation. Words as ”pseudonymization” and ”anonymization” and ” encryption” are bread and butter even if no one checked what GDPR says.

I.E. Encryption: unlike Italian privacy law and Italian Privacy Authority measures that require encryption in many cases, GDPR nothing says about this requirement.

Security measures listed in art. 32 of GDPR about “Security of Processing”, are intended as suggestions.

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including INTER ALIA  AS APPROPRIATE:
(a) the pseudonymization and encryption of personal data;

No doubt about the meaning of the expressions INTER ALIA  and AS APPROPRIATE  that confirms what listed in the art.32 is only a suggestion and needs a discretionary appreciation by the data controller under his own responsibility.

Clearly, the suggestion of security measures represents for Data Controller a defense that discharges him of respecting requirements and increase his ability in proving to be GDPR compliant

Therefore, encryption and other security measures can’t be considered as binding.
Data Controller program should comply with GDPR within 2018 May 25th. the real question is how.

He may adopt technical measures, but they can be too much expensive or difficult to implement. Otherwise, he may adopt organizational measures with a suitable mechanism to ensure periodic and on-going verification.

Certainly to have an implementation program within May 25th is not enough without security measures and other GDPR requirements.

It’s worth remembering that delays Controllers are guilty are not excused because of the entry into force of GDPR two years ago and form the first draft six years ago.

Personally, dealing with a lack of money, I think that the most important investment should be done where a real risk of data breach is and needs the notification to the Authority. This event may be an harm done to the image of Data Controller, that could hardly get back.

Finally, a call to IT solutions providers for being more accurate in making their offers and to Data Controller for resisting, as modern Ulysses, and get informed about real GDPR requirements through direct analysis of EU Regulation

Category: Legal framework

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 8 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263 Oracle Community for Security, UNINFO and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply