I was running a workshop recently and the organisation I was visiting had asked me to cover some GDPR material. Just last month I pumped out a free course on the topic for Varonis so it had been on my mind for a while but in case the acronym is new to you, GDPR is the General Data Protection Regulation. This is the impending regulation that promises to unify how the EU handles personal data and indeed penalise (potentially quite harshly), organisations who fail to comply, including those outside the EU handling the data of citizens and residents from participating member states (with some caveats).
Anyway, one of the key components of GDPR is the right for data subjects (normal people like you and I) to have their data removed from a company’s system. All of it. Permanently. When discussing this in the workshop, it led to some very valid concerns being raised around backups, namely how on earth do you remove someone’s data – just their data – from backups that may span many versions over many years. Commentary about this on the web spans the full range of “you have to be able to do it or prepare to be penalised” through to “it’s technically infeasible within the bounds of reasonable effort”. Yet everyone who weighed in on the subject agreed that regardless of how this plays out, being able to demonstrate that you’ve done your utmost to do the right thing at every opportunity is extremely important. And that got me thinking: if all your actions relating to security and privacy were ever put on display, what would they say about you?
That thought recently came to mind when considering both my own personal security and the way in which I run Have I been pwned. I have to assume that at some time, I myself or the service I run may be subject to a security incident and if that were to happen, what would it say about me? I probably worry about this more than most due to both the nature of the service I run and that I make a living talking about how to do this right so if my own shortcomings were to be exposed to the world, it could get kind of awkward. As uncomfortable as it may be, thinking about this before something goes wrong is obviously the right time to do it and as I pondered that question, I inevitably thought of various places where yes, I need to lift my game.
So think about this for both yourself and your organisation – how will you be viewed if all your security practices are put on public display? Are you reusing weak passwords? Or in the case of GDPR, are you making a genuine effort to comply? Are you really sure that were you to ultimately be judged on those practices, people (or regulators) would say “yeah, they genuinely tried their best, they just got outfoxed”? Ponder that, and ponder it now while you’ve still got control of the situation.
