Why GDPR Is Nothing to Fear

The General Data Protection Regulation (GDPR) has organizations scrambling to improve their existing network infrastructures to meet the new standards. On May 25, 2018, GDPR goes into effect and with it, new penalties for those who violate the EU’s demand for tighter data protection.

There is another edge to the proverbial sword: lost revenue and consumer trust. When an organization is cited for non-compliance, the outrage of consumers can be equally, if not more, financially damaging.  Until the first fine is issued, everyone is still speculating on the severity of the penalty. However, there is historic data we can examine that shows the effects of lost consumer trust. When millions of EU citizens refuse to do business with you, it can have staggering effects on revenue.

Organizations looking to satisfy regulators, cannot underestimate the cost of losing millions of customers. When combined, these two costs together can swiftly bankrupt a company.

That’s a lot of doom and gloom, especially when – as I’ll lay out in this blog series – you likely have everything you already need to comply. Stick with us, and we’ll show you the steps your organization can take – some philosophical, some technical – to prepare your network for the new regulations and fortify consumer trust.

We will set aside the personnel and breach reporting, because we are looking at what you can do to ensure compliance and prevent data exposure and compromise from the very start. The methods are not new; they are the foundations of information security. And GDPR is just a special instance of a government regulation; you’ve seen this for decades. There is nothing to fear.

Step 1: Don’t Panic

With all the fear and doubt surrounding GDPR, it is natural to feel anxious about it all. But we can learn something from Douglas Adams’s Hitchhiker’s Guide to the Galaxy. When the world is coming to an end, it is important to keep your emotions in check. In other words, don’t panic. 

Panic rarely delivers good decisions. When panic does bring us to the right conclusion, it does so by accident. When fear and doubt are the guiding emotions, we humans are prone to seek explanations that are plausible, not necessarily explanations that have evidence to support them.

This makes us vulnerable to what otherwise would be seen as misinformation. The story seems compelling, it stokes our worst fears. And a human filled with fear is likely to take action.

It is always important to consider the motives of those who routinely provoke our anxieties. They come to us with ingratiating smirks and inform us that we are doomed unless we sign here for salvation. In the United States, we call these people “Snake Oil Salesmen.”

A Snake Oil Salesman paints a grim picture of your life, conjures symptoms out of thin air and then presents you with a product that will solve all your troubles. Essential to this tactic is the active silencing of contrary evidence, alternative explanations and proven methods.

How do we avoid being fooled? How do we prevent popular delusions and the madness of crowds?   Well, it starts with rooting ourselves in the evidence. The evidence suggests that GDPR is demanding organizations take specific technical measures to protect data:

  • Take a risk-based approach to data protection and security.
  • Establish technical measures to validate data is protected.
  • Continuously monitor data protection measures.
  • Correct any protection failures and notify the authorities when compromised.

You see? These data protection methods have been regular practice for more than 20 years. It stands to reason that if we know how to keep data protected, then we know how to keep data protected. Again, there is no place for anxiety or fear. But essentials can get lost in legal-ese and bureaucrat-ese.

As we continue this series, we will bring out the Rosetta Stone and translate these statements above. We’ll look at each of these technical measures and see if we can collapse them into security themes. If we are able to succeed at this project, we can once and for all dismiss the anxiety and walk bravely into May 2018.