Why Do Security Groups Seem to Have Issues Complying With the new GDPR?

The new European Union Privacy Regulations, fondly known as the GDPR (EU-2016/679) took effect in late May, 2018. If you listened to some crime fighters we would all be dead by now as the criminals would have taken over the world. And the Internet. I do some work with the APWG, the Anti-Phishing Working Group that tries to reduce the amount of phishing and fraud on the internet. We have been working on understanding and preparing for compliance with the GDPR for over a year. It’s hard to understand, has lots of details to comply with, but definitely not the world ending event some have imagined.

If the regulation is so exacting, why is compliance so hard? From personal experience, many organizations legal and compliance teams are overworked; when new regulations appear the teams hope that there is also some guidance on how to comply and how soon – or a hint as to how severe- non-compliance will be.(If you don’t agree with me, you’ve never worked in a legal or compliance team.) So I’m taking a wild stab here, but from my experience there are three large issues:
1. Not all data sharing is contract-based nor covered by “binding corporate rules” as defined in the GDPR. The APWG’S Data Sharing Agreement (DSA) – a contract – was put in place to specify what parties taking our datasets could do with it. It made the sharing-field very level – everyone who sent us data or took data new exactly the boundaries of what they could do with the data. Many data sharing organizations, both formal and informal, are not contract-based and now need to quickly develop contracts.
2. When new regulations arrive, there is an amount of guesswork to figure out how to minimally comply with it. Most organizations do not want to violate the law, but new laws require new thinking, new paperwork, new processes, on how to comply with it. The EU and its members has not been very forthright in specifying how an organization could minimally or consistently comply with the regulation.
3. The regulation has onerous enforcement provisions. Although the EU or its members may not attack non-compliant organizations on day one, the regulations allows any EU natural person to bring enforcement action by themselves upon an organization. The volume and expense of these actions are all unknown making the previous bullet even harder.

Just my thoughts, but I bet I’m close to the target.

Cooper-Cain Group is major participant in APWG’s Third Symposium on Reducing the Impediments of Data Sharing

Cooper-Cain Group President Pat Cain – also a resident research fellow at the APWG (apwg.org) – led the wrap-up discussions for each of the five panels at the recent APWG “Symposium to Reduce the Impediments of Data Sharing” in Barcelona, Spain in late May. Mr. Cain has been a strong proponent of better sharing of electronic crime information between crime fighters, law enforcement, and corporations for many years.

The symposium has a number of panel discussions ranging from the new EU General data Protection REgulation’s impact on data sharing, to details of what specific data items the crime fighter needs to be effective, to a list of tasks we can do to make data sharing more universal. A report oft he proceedings will be generated later this year.

Business Town Meeting Co-sponsor

The Cooper-Cain Group was honoured to be the co-sponsor of the recent Business Town meeting with the Somerville, mayor, his staff, and over 100 business owners on April 26. The event – in its tenth year – is presented by the Somerville Chamber of Commerce to provide a forum for city officials and the business community to interact, ask questions, and discuss the future of the city.