May 17, 2017 at 9:10 pm
Comments posted to this topic are about the item Data Privacy and Security: The Implications of GDPR
Best wishes,
Phil Factor
May 18, 2017 at 4:56 am
I guess this is what happens when the legislators don't just listen to industry interests.
Is there an estimated compliance cost yet?
May 18, 2017 at 4:59 am
"These people will need to be data experts with experience in security and a lot of knowledge about the protection of data"
This is a nice idea, and one which I wholeheartedly support and applaud. But where are these people suddenly going to materialize from? To be blunt, the vast majority of people in our industry working with systems I see holding data which should be treated as confidential are not only functionally incompetent when it comes to these matters, but absolutely do not give a damn about it or are actively hostile to the idea. I have, and currently do work with some good ones, but they are by far the exception, rather than the rule.
For every good one, in my experience, you get a great many more who will react like an offended maiden aunt when it's suggested to them that they might like to consider approaching implementing their systems with even a nodding acceptance of basic concepts such as POLP, and quite frankly adherence to concepts like Security By Design is utterly beyond the vast majority in the industry in the unlikely event they actually grasp the concept. There's going to have to be a complete turnabout in attitudes in order to get anywhere near this - and bluntly - attitudes are heading further in the direction of fundamentally sloppy and lackadaisical than professional and competent from what I see.
I'm a DBA.
I'm not paid to solve problems. I'm paid to prevent them.
May 18, 2017 at 6:35 am
Not that I'm anti-EU or anti-privacy, but unless the company has a physical presence in Europe there's squat all Europe can do about it, just as the US can't touch companies that don't have a physical nexus in the US.
If a European citizen signs up to a US website (that's based purely in the US) then the US would have to cooperate in the enforcement of the GDPR.
Yeah, I don't see that happening.
Google and Facebook have EU presence, so they're vulnerable. Joe's Crab Shack in New Jersey? Just because they ship to somebody in the EU they don't have to care. No matter what personal data they collect.
I don't imagine Russia, China or Japan will be too enthusiastic to enforce an EU law either.
When are countries going to learn (the EU might as well be a country) that their remit ends at their border? I don't exclude the US, the EU, China, or Russia or any of the smaller players from this sin either.
Making a law that says "the world must obey" just embarasses the enacting country, whoever they are.
May 18, 2017 at 7:25 am
I don't always agree with the EU, but I so wish the US would keep up with the EU in regards to digital privacy legislation. If that negatively impacts your business model, then change your business model. Big Data companies who hoard and share the personal data are not too big to fail.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
May 18, 2017 at 7:36 am
Phil, interesting article, although one comment on the
...mood in the USA towards personal privacy is rather different, favouring as it does the rights of the state...
comment. I suspect most US citizens would much prefer control over their personal information, similar to what the GDPR is looking to encode into law, the US Gov (either of the main parties) however are all for the "state" having easy and near unfettered access to our information.
Frankly what I can see potentially happening is sites that do "collect or process personal data" will have a ToS at sign up with language buried in it basically saying "we will collect this information and use it for our own purposes or our partners purposes." Now, it's possible there's language in the GDPR that should prevent this, but lawyers are a clever bunch and they *will* find any opening to get around a law without breaking the law.
From a purely DBA standpoint, I can see this resulting in more encryption being deployed against databases, both the "raw" data, the data at rest, and the data in transit, with the performance issues said encryption will introduce.
May 18, 2017 at 9:47 am
roger.plowman - Thursday, May 18, 2017 6:35 AMNot that I'm anti-EU or anti-privacy, but unless the company has a physical presence in Europe there's squat all Europe can do about it, just as the US can't touch companies that don't have a physical nexus in the US.
This is true, but a lot more companies than Facebook & Google have a presence in the EU, so it will have implications in the US. A US headquartered company with an Italian subsidiary can't centralize data from their Italian subsidiary unless they're following EU data protection laws. Which, from the perspective of Italians doing business with an Italian company is very fair. So, as Phil says, there are definite implications for many US companies, even if Joe's Crab Shack is in the clear.
Leonard
Madison, WI
May 18, 2017 at 11:29 am
We should require that all IoT enabled products be labeled as such, including specifications about the data transmitted, and have a simple on/off switch.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
May 19, 2017 at 8:44 am
Eric M Russell - Thursday, May 18, 2017 11:29 AMWe should require that all IoT enabled products be labeled as such, including specifications about the data transmitted, and have a simple on/off switch.
Blue tooth terrifies me because there is no physical synch required at all.
May 19, 2017 at 11:58 am
ZZartin - Friday, May 19, 2017 8:44 AMEric M Russell - Thursday, May 18, 2017 11:29 AMWe should require that all IoT enabled products be labeled as such, including specifications about the data transmitted, and have a simple on/off switch.Blue tooth terrifies me because there is no physical synch required at all.
I'm surprised more politicians here in the US haven't done more to politically exploit the issue of digital privacy exploitation. Right of Left, young or old, the vast majority of the public get highly agitated when they think about their privacy or personal information being violated... especially when it's for the financial gain of a corporation or the Machiavellian interests of the state. Even independent candidates like Sanders or the Libertarian candidates don't really make the issue of digital privacy or security front and center. I know we Americans have a short attention span, and we have a tendency to put things out of mind if the subject is uncomfortable, but we do get agitated when someone brings it directly to our attention, and certain types of politicians know how to hit the same note over and over again when it can give them an edge (think about the Clinton email scandal). I predict that going forward we're going to see topics like this become decisive campaign issues, and politicians will be forced to make hard choices about whether their loyalty is to corporate / government interests or to public demand. The IT professional community itself will be divided on the issue.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
May 25, 2017 at 2:06 am
FYI: Now Available: Guide for enhancing privacy and addressing GDPR requirements with the Microsoft SQL platform. Download the guide at https://aka.ms/gdprsqlwhitepaper.
Read the blog at:
https://blogs.msdn.microsoft.com/sqlsecurity/2017/05/24/now-available-guide-for-enhancing-privacy-and-addressing-gdpr-requirements-with-the-microsoft-sql-platform/
July 7, 2017 at 9:49 am
I've spent some time reading a summarised version of the GDPR regulations. These regulations give HUGE levers to those of us who favour doing things properly. I think it is worth a blog post to explain why I think GDPR could be the fantastic news for data professionals.
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply