When Jamie Randall, CTO of the IASME Consortium, was asked to speak at yesterday's SC Congress Amsterdam on upcoming EU data protection regulation, he says that he, like many people, "promptly fell asleep".
Although he said this for effect - and he finds the topic very engaging - the truth is that many people's eyes glaze over at the very mention of regulation.
However, there is a pressing need for organisations to formulate their strategy for dealing with the General Data Protection Regulation (GDPR). It was only this month that the EU Council and Parliament agreed the final draft of the regulation and organisations now have a grace period of two years to get their act together.
And it will have real effects on countless organisations, as Randall said. "I want to disagree with this view that the regulations aren't particularly interesting". In fact, upcoming data regulations "have real potential to impact information security, particularly for small- to medium-size companies".
In his work at IASME, Randall spends a lot of time with just such small- and medium-sized businesses. While there's a strong awareness of data protection in that arena, it's stunted by a lack of practical understanding about how to comply with regulation, deal with breaches and properly protect personal data.
Most small companies, for example, would find it impossible to report within 72 hours, a key requirement of the GDPR.
However, small businesses have one key advantage over their large counterparts. Not worn down with large amounts of stringent security policies, "small businesses can be agile", he said, in meeting regulatory requirements.
Standards are useful, said Randall, speaking in regard to national minimums like the UK's Cyber Essentials standard.
"They clarify the expectations of regulators," he said, which up to this point have been all too hazy.
The problems that might plague small business in these regulations might also plague the corporate world. In fact, it might be worse for them as demonstrated by Dai Davis, a lawyer and security expert, and Elisabeth De Leeuw, an IT security and identity architect, who perhaps brought more questions than answers to the panel.
It's all well and good to put breach reporting into law. Here, said De Leeuw, the problem is, "How can we comply and how can we enforce these rules?" These are not easy questions in a connected world, where the opening price of living in that world is sharing information, willingly or not.
Furthermore, Davis added, directives which make up much of incoming European data regulation do not control citizens, they control governments: "The purpose of the new regulation is where you have a uniform playing field."
It's then up to national governments to apply that to their citizens. "Will it bring about change?" asked Davis, "Well, that's about enforcement." And it's here that the cracks may show.
So while the benefits will include one set of rules for 28 countries, there are ways to reduce the breach reporting requirements, by keeping data held to a minimum, using segmentation of databases, masking of personal data or encryption, but nonetheless, there is still a need to report breaches, and on the basis of this panel discussion, it looked unlikely if most organisations will be ready within the required two years.
