When I first heard of
the Sarbanes-Oxley Act, I was disheartened. It sounds like another over reaction by politicians to a crisis that would create lots of work for companies. At the time I was working for a software vendor and while we weren't bound by many regulations, we did value our ISO certification. As we went through the SOX audit, it felt a lot like our ISO audit the previous year. In fact, we re-used most of our work, and re-did some, making it compliant with both items.
A few years ago, we started
GDPR preparations at Redgate, as well as talking and working with customers. We built some products, like
SQL Provision and our
Data Catalog, with the hope that they would be useful to organizations looking to ensure compliance. We have seen many companies trying to comply, and I'm glad that we can help. I think the GDPR is a step in the right direction for the future of how we manage and deal with data.
I'm also glad that companies are taking the idea of data rights and data privacy more seriously. I think those of us in technology have been lax, and management of many companies even worse. I think I may some some evidence in
this piece about possible lack of enforcement of the GDPR by Ireland. Not to discuss politics, but I completely understand when a very large company brings a lot of revenue to a country, there will be hesitation in disturbing that relationship.
Regardless of the politics, I did find this quote interesting. A report in 2011 on Facebook's data handling practices had this quote: “We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data...” This didn't prompt Facebook to make changes to process, and Ireland has not pressured them to do so, even with the GDPR taking effect last year. I'm hoping this isn't the death of the GDPR as a set of regulations.
I completely agree with the sentiment of that quote. We can't trust that developers will adhere to best practices, or that companies will protect data. Sometimes this is ignorance, sometimes human error, and other times willful disregard for rules and regulations. We do need some sort of enforcement of the data handling practices that we as a society want to see in place. We certainly have to decide what practices to codify in our framework and we need some enforcement.
I don't know that very large tech companies will get fined or forced to better handle data, but for many of us that work in smaller organizations, we don't have the clout or impact of a multi-billion dollar revenue organization. We might see fines that can very much hurt our businesses. We ought to be ensuring we not only follow best practices, but we build data security in by design and default. It's cheaper and easier to do so, and it ensures we don't fail to go back and fix things later.
It's also something each of us, as data professionals, ought to take pride in doing.