Blog‎ > ‎

General Data Protection Regulation (GDPR) - Thoughts

posted Jun 26, 2016, 10:31 PM by Sami Lehtinen   [ updated Jun 26, 2016, 10:34 PM ]
  • Read about General Data Protection Regulation (GDPR) @ Wikipedia or GDPR @ EU Justice portal
  • Privacy by design. That's a nice dream. Truth is that privacy regulations aren't usually followed and so what? Because stuff doesn't end up in court, it means that it's enough, even if it might not be legal.
  • Risk assessment - It's funny that so many security requirements refer to risk assessment. Yet, the risk assessment can be done so differently for the same case, depending from the original viewpoint. So it's totally negotiable and subjective. Others might think that no security whatsoever is required, and some other might think that this is totally critical and requires extreme paranoid tinfoil hat security. Like, half our system administration staff are foreign agents and so on. ;)
  • Data breaches - Sure. I've asked this earlier. Is the problem the data breach, or knowledge about it? As we've seen in news and ... It's common that the messenger is being shot. It was in news that FBI raided security researcher reporting security flaws. Nothing new. So if you find serious security breach, if it's on your responsibility, just fix it quietly and hope that nobody outside the responsibility chain finds out. If there are audit logs which will show that the vulnerability was being accessed, it might not be a good idea to look at those logs? Why? If you don't take a look, you can just say. Well well, there was a minor bug / configuration issue, we've fixed it. If you take a look at logs and therefore know that it was being exploited. Ouch, it's worse than not taking a look. I know this is totally horrible, but this is just the way things seem to often be. Same applies to many major accidents, there might have been long discussions about the risk related. But no action was taken. When the bad thing happens, it would have been actually better if it would have been something that was totally unpredictable and random. Instead of, yeah sure, We've known about that stuff for years. But we really didn't care. So, not reporting is safer than reporting. Isn't this anyway what all the big organizations are doing. Then they can blame singe individual about organizational fail. If things go well, then collective failure wasn't actually anyones fault. This has been seen over and over in root cause analysis of serious accidents. - This has nothing to got with computers or security, it's global and applies to any industry and military operations and so on.
  • Right to erasure is a nice thing. bBut again, it's something that might be hard to implement in some cases and cause problems for systems not designed to handle cases like that.
  • Data portability requirement will cause a lot of gray hairs for lot of tech stuff and management, for sure. It's really really nice fantasy, but can cause major havoc, because systems just aren't compatible and then there are more or less buggy and bad import / export features etc. - Sounds wonderful and really horrible at the very same time. - It's just like integrating totally different systems together as usual. Nice idea, but might require lot of work and still backfire with really bad results and 'random' malfunctions. Causing years of bad reliability. Stuff which isn't being automated, is broken over and over again by someone changing something manually and ... All the usual stuff. There might be some hidden dependencies, if the feature isn't being a lot, it could get totally broken by future updates ... - It's nice question how "a cloud provider" is being defined.
  • Conflicting requirements with EU-US Privacy Shield are also pretty interesting ones. But I'm sure someone will figure those out at some point.
  • It's also a huge burden for free services that these rules apply to non-commercial operations. Time will tell how bad this actually is.
  • Finally, intentions are good. Those are wonderful requirements. I wish everyone would actually follow the regulation. But the reality might actually turn out to be different. - Might? I'm pretty sure it does. - Legalization hasn't fixed (much more serious) issues in the world before and it doesn't do it now either.