By John Gruber
Stop political robocalls & texts with Nomorobo!
24% off with code DARINGFIREBALL24.
When the EU enacted GDPR in 2018, executives and security professionals waited anxiously to see how the law would be enforced. And then they kept waiting ... and waiting ... but the Great European Privacy Crackdown never came. For a while it seemed like the only way you’d get slapped with a GDPR fine was to do something truly egregious or be named Mark Zuckerberg. (Or preferably both.)
But the days of betting that you’re too big or too small to be noticed by GDPR are over. Recently, EU member nations (plus the UK) have started taking action against data controllers of all sizes–from the big (Amazon), to the medium (a trucking company), to the truly minuscule (a Spanish citizen whose home security cameras bothered their neighbors).
So what changed between 2018 and 2024? Perhaps the biggest factor was the EU cracking down on companies putting bogus “headquarters” in countries with friendly regulators, particularly Ireland. But it certainly didn’t help that the last few years have seen an unending tide of data breach stories, and the public’s relationship with tech has increasingly soured. There’s an appetite for enforcement these days, and it’ll probably get worse before it gets better.
If you’re an IT or security professional, you may be wondering what to do with this information. Unfortunately, GDPR compliance isn’t the kind of thing you can solve by buying a tool or scheduling a training session. The best place to start is to adopt a policy of data minimization: collect only the data you truly need to function, on both customers and employees.
After that, your second priority must be securing the data you have. Of course, that’s easier said than done, but you can start with doing more to protect against common breach culprits like compromised passwords. (Call us biased, but getting a password manager for every employee really is table stakes for good security.) You also need to monitor where all your data is going, so PII doesn’t disappear onto Shadow IT apps and unmanaged devices.
We’ll close with a 2022 quote from John Edwards, the UK Information Commissioner:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
In other words: it’s time to get serious about GDPR.
To learn more about GDPR compliance, read the full blog.
This RSS sponsorship ran on Wednesday, 4 September 2024.