GDPR means General Data Protection Regulation, and is a EU directive, that as of from the 25th of May 2018, will highly likely wreck havoc with your organisation. It is likely that most of your current software doesn’t comply in accordance to its rules – And yes, I am referring to that piece of code, that was written a decade ago, by a guy who has since quit, and nobody understands how to maintain.
It opens up for class act lawsuits for privacy breaches, and sets standards towards data storage, that most system developers don’t even understand, and that was never implemented in your original application. An example is how it requires you to store sensitive data as a (cryptographic?) hash key, instead of as plain text. Ask your dev guys if he has done that. Unless his knee jerk reaction is “of course”, while smiling from ear to ear – You have a problem!
It focuses on the right to be anonymised in your data, and requires the application to have been “securely implemented”. It gives any user in your dataset the legal right to demand that you send him or her all the data you have on him or her, and that you as soon as possible (1 month), is able to delete *everything* you know about him or her. It explicitly blames YOU, unless you have taken steps to make sure you comply by its rules. This is true for both the software owner, and the sub-contractor you hired a decade ago. For privacy, it’s Heaven on Earth in Europe. For companies with legacy apps, it’s arguably Armageddon.
Some of its articles ties directly into how your original code was written, and demands that it implements security measures to prevent data breaches. For instance, are you storing your passwords as salted hash keys? Are you providing brute force password hacking protection? Is your data transferred over a securely encrypted connection? Questions such as these, if you can’t give the right answer, might make your company the subject of class act lawsuits, by millions of EU citizens, as of from the 25th of May 2018. Now for the record, it doesn’t explicitly mention things such as server-side salted hashed passwords, but a good lawyer might argue that this is a “common best practice security thing to do”. And if you haven’t followed all the “common best practices” in regards to security, you can be liable for having to pay fines, with a VERY large amount of digits. In such a regard, for an actual lawsuit, what is probably most interesting, is its “gray areas”, where it doesn’t explicitly speak about a specific point, but is a place where a good lawyer might argue “it is obviously within the boundaries of the GDPR’s intentions”. Trying to explain a judge what a server-side salted hashed password is, is the equivalent of trying to make a chicken understand quantum mechanics. Believe me, I should know … 😉
If you haven’t implemented every single “best practice” in regards to security – Oops! John Doe just struck a straw into your company, zipping up a couple of millions from your shareholder’s bank accounts …
When you’re in court, what’s important, is what the contract does NOT explicitly talk about – But rather what it “vaguely insinuates”. This is where the Devil hides …
HELP ME, PLEASE!!
If you’re not panicking now, I haven’t done my job. Simply because “only the paranoid survives”, and a pre-requisite for becoming paranoid, is to go into complete and utter panic first! However, there exists redemption. Now of course, if you’re a fortune 500 company, you probably have an army of lawyers and developers, who have already been working with GDPR for years already. If you’re not a fortune 500 company though, you probably can’t afford an army. Luckily, there are dozens of experts in different fields related to GDPR that are here to help you. People who care about privacy, and people working with extreme security measures (me for instance) – While also seeing the glass as half full, and wanting to help companies to actually comply. Do a quick search for GDPR consultants in your area, or contact a company with expertise in privacy and security. Or send mean email, requesting help from me, if you have no idea where to start. I happen to have the tools and the knowhow necessary to help you, if you don’t know about anybody else from before. I also know security experts and legal experts from all around the world, including EU lawyers in Greece, security experts from South Africa and Norway- And I can help you get in contact with a guy matching your needs, in your local area.
“Only the paranoid will survive” – Andrew S. Grove, CEO at Intel
Peace out, and take a deep breath, it will be OK. As long as you take this seriously first though. The first step to comply, is to remember that Security is King! And ask for help. You will need it!