Despite the GDPR being over a year old, there still exists a gap between legal and technical that makes guidance more difficult to craft and implement.
Despite the fact that the General Data Protection Regulation being probably the most famous compliance regulation in the world, many organizations are still struggling fully understand what’s required of them.
An honest and frank look at the way that GDPR has been implemented over the last three years (the text was finalized in 2016, after all) raises concerns about how data security is perceived. Most organizations, if audited with any vigour, would likely not meet the stringent requirements that are set out in the GDPR.
Lawyer and EU privacy expert, Sophie Stalla-Bourdillon, believes that the reason for the lack of adoption lies in the legal complexity of the mandate itself. Legal teams are (perhaps unintentionally) over-complicating the mandates and causing unnecessary confusion. This legal complexity is causing the burden of meeting GDPR to be shifted to the shoulders of teams with technical skills. In practice, this means that a large number of boards are increasing their reliance on CISOs and CIOs to prove GDPR compliance.
But, CISOs cannot do it by themselves, and it’s unreasonable to believe that they can. They need all the help they can get, and that means legal help as well. Lawyers need to brush up on their technical knowledge so that they can bridge the gap between the legal requirements of the GDPR and the software, processes and practices in place for security.
In general, the GDRP is a mandate that affects the compliance team, security team, operations team and every other business department in some way. Yet most departments are refusing to take ownership of data security responsibilities.
What Can Lawyers Do to Help?
Lawyers need to be prepared to get hands on with the technology the company in question is using and understand it to the best of their ability. Lawyers, of course, aren’t trained in niche security technologies and many might understandably not grasp it immediately. But, it’s important that the gap between the legal framework and the technology needs to be bridged.
The bridge that exists isn’t the fault of the lawyers or the technical team. Many believe the fault lies with those that drafted the language for the compliance mandate themselves. Many of the articles are overly and almost unnecessarily complex. Even definitions that you might assume are simple, such as “explicit consent” are slightly different in the GDPR than under other EU regulations.
Lawyers are necessary to help CISOs and CIOs understand which definitions to abide by and which compliance mandates to prioritize in certain scenarios, amongst other things. The GDPR is not just a security mandate or a privacy mandate, it is a legal one.
By getting the hands on experience with the technology used to store, process or secure data, lawyers will be better placed to offer practical advice on how to become compliant.
But it works both ways.
CISOs and CIOs must be comfortable inviting lawyers into the conversion, and they cannot assume they are compliant just because they have certain technology, practices and processes in place. Technical staff must ensure that lawyers are involved before a breach occurs and not in the wake of one. Sharing the load of compliance will make it more likely that we actually achieve it.
Technology That Can Help
It seems natural that, if you are going to implement technology to help you achieve GDPR compliance, that technology should be easy to use and understand from both a technical and non-technical perspective.
Using complex SIEM solutions to aggregate and analyze raw logs can be difficult for even the most technical minds to draw any real conclusions from. Data Security Platforms, on the other hand, often simplify the most complex security and compliance tasks and can produce GDPR-ready reports that are compliant from a technical and legal perspective.