Gregg Day, Vice President and Regional Chief Security Officer, EMEA at Palo Alto Networks has written a good piece on coming to terms with GDPR called 5 Emotional Stages of Preparing for GDPR
He draws a parallel to the five stages of bereavement.
“For many the first response is denial. I’m struck by how many still either don’t believe it will impact them, or don’t believe penalties will be applied; therefore, they don’t need to take it seriously (at which I’m struck by why they don’t see the societal value). The reality is that, no matter how much we chose to ignore GDPR, it is happening; and we must make the positive decision on whether we choose to embrace it or not. Typically getting through this emotional state is a challenge of education.
This leads into the next stage of anger, which I would exemplify through the statement of “Just tell me what I need to do!”. Unlike standards like PCI, which is an industry-lead requirement that is very prescriptive (you must have X & Y), GDPR contains very few clear technical definitions. For example, what is “state of the art” or “security by design and default,” and when does a breach really start? Security practitioners like things black and white; the regulation is shades of grey. It requires each of us to work across our business teams to interpret and define exactly what it does mean to our business, and how we quantify and qualify this both to our business and third parties.
All too often I’m seeing this lead to bargaining. To quote one instance, “We have been working with our legal team and will argue the definition of a breach does not apply effectively”. Whilst I’m sure a few will gain some early successes with this, to me, it feels like swimming against the tide. I can only expect definitions to be tightened where needed, but the underlying intent of the regulation is clear: protect citizens’ personal information and drive confidence in the use of technology in today’s society.
Essentially, at some stage, most go through depression (the cup half empty, which is, “This is real and happening, and you can’t ignore it or wriggle around it”). This leads to the reality that we need to understand just what the gap is between where we are and where we need to be, gathering the budget and support to achieve this within the business. This is the point to switch to the half-full cup, if you haven’t already. How often do you get the opportunity to step back from the daily cyber grind and review and re-architect with an eye to the future? Most of us are stuck with a lot of legacy that this is a perfect opportunity to phase out.
The reality is that, whether we like it or not, we end up at acceptance: It is happening; GDPR goes live in 2018, and any one of our businesses could be held to account either as a result of an incident or, I suspect for many the most likely cause will be, a third party in your supply chain requesting evidence of your compliance as they look to achieve their own. I can share with you that I’m aware of companies already getting such requests.”