We are going to continue off of the previous blog and learn a little more about the GDPR.
When you go out to the restaurant with a group of your friends, you can all pay, and then you can fight amongst yourselves about who gets be stuck with paying for the whole bill. This is an excellent example of what the GDPR has done, and what’s fascinating is that it allows the data controllers to explicitly go after their data processors if the controller has to pay a fine that they think was caused by the processor’s misbehavior.
One of the things I saw with data controllers and data processors and their relationship reminded of HIPAA. Why?! Because if I read this right, it says that data controllers and data processors have to have contracts between them that clearly delineate roles and responsibilities under GDPR. Doesn’t this sound like a business associate agreement in the HIPAA regime?!
Very similar, right?! They even call them data processor agreements.
I find it interesting that an American Department of Defense data protection regime, and a lot of the ways that GDPR works, as well as HIPAA, New York Department of Financial Services, and DFARS. They’re all starting to blend. There’s a lot of commonality between these, and I find this fascinating that we might be converging to a point where things are going to start looking a lot more similar than they’re going to be looking differently.
What can you take from all of this and apply to your business?! It is good for you to know how this works and apply it to your cybersecurity practices.
It’s your responsibility to be reasonable in your cybersecurity practices. There is the freedom to figure out what precisely that means for me, and with that, I see confusion in our customers. They like the idea of reasonable, but they struggle to define it. I see them develop an appetite for a checklist, which is disheartening.
The problem with this is that the security of your products in the information age and your services touch every aspect of your business cycle and development. You cannot reasonably expect to have a checklist that’s going to cover everything that needs your attention.
The GDPR covers the personal data of European Union citizens and residents. There’s a question about whether you move to the US, you’re no longer a resident, but a citizen. I expect that some of these questions will be answered quickly by case law, and I think others will take a little longer to tease out. Maybe they’ll amend the regulation.