The EU’s General Data Protection Regulations are promising to shake up the way businesses perceive and treat their responsibly to look after your data. Not least because a breach of legal obligations can result in a fine of up to 4% annual global turnover, or 20 million Euros (whichever is more). Old news, unlike a fundamental impending change in my focus and the focus of my blog.
I’m taking a keen professional and personal interest in the new regime, including reading the whole darn thing, completing Privasee’s Privacy Eagle course, researching evolving legal privacy precedents, looking into blockchains (because of a natural synergy with integrity elements of privacy), and working towards more qualifications.
It’s not all about having my eye on the next consultancy prize (I’ve been lucky to have more offers of information security work than I can handle), it’s because it’s a better fit for my fundamental feelings about security.
As I tweeted some time ago:
All of my adventures in InfoSec circle back to landing appropriate accountability for protecting people from harm
My IT beginnings lead me to network then broader IT security. That transformed (more through naming fashions than content), into Information Security (plus CISSP as the accessory of choice). Thereafter my constant craving for the ‘why’ and ‘so what’, led me through the fire pit that is SOx compliance testing, to vendor security governance and risk.
For most of the last 6 years my mind has been set on data-centric security (overwhelmingly the key to that ‘why’ and ‘so what’), driven by long and sometimes bitter experience of tool-obsessed strategies, policies, staff, comms, reports and budgets. In my own time I’ve also expended considerable effort to understand the rafts of pre-existing and new legislation around surveillance and related human rights. All the time lamenting the lack of real levers to alter perception of security as a profit damaging overhead. Or rather, ways to speed the tanker-like turning circle of business culture.
The next natural place to go is therefore privacy and data protection. For me the meaningful part of the impact equation, and where a difference must to be made. A difference that people need us to make on their behalf, because the general population stand little or no chance of keeping up with privacy implications of big data, AI (or current approximations), the IoT, border skipping cloud data, and their shifting national security and surveillance related risks and rights.
That signposts a lot of content I’m likely to write over the coming months, but right now, as a lighter touch to start this new chapter, something Stuart Winter-Tear (@Stegopax), suggested: A GDPR sonnet (a tease based on the flowery language I sometimes indulge in for tweets).
Not to be one to shy away from a challenge, here’s the result, with more sober prose to follow in due course.