The General Data Protection Regulation (GDPR) is not about products, stated Ilias Chantzos, Symantec's senior director of government affairs for EMEA and Asia, as he addressed an audience at Infosecurity Europe 2017, Europe's largest infosecurity product vendor feeding frenzy.
Given the commercial interests of the assembled vendors, this may come across as a somewhat controversial statement.
Many here today will be advertising “the box that can solve your GDPR problems,” said Chantzos before helpfully reminding his audience that there is, indeed, no box that can “solve your GDPR problems”.
The landmark piece of privacy and data protection regulation is about putting processes and controls in place to meet the desired outcome for customers, said Chantzos. “The governance structure drives GDPR. The regulation's focus on accountability will mean precise documentation and proof that organisations do in fact have the right controls in place. To be sure, the advent of this piece of regulation will profoundly change the governance structure of more than a few organisations.”
GDPR still figured heavily on the floor of InfoSecurity Europe where products that would aid in GPDR compliance were nearly ubiquitous.
Varonis was offering a solution which would help users to identify data owners, identify insiders and build accountability structures within an organisation, both of which are key parts of compliance.
But even they agreed no product could, by itself, make you compliant come May 2018. Dr William Priestley, sales manager at Varonis told SC “there is no silver bullet.”
“Ninety percent of it”, said Priestley, “is around what the business policy is, decisions need to be made, decisions need to be recorded and the reasons behind those decisions recorded as well so when it comes to showing it to the data protection authority, you have clear evidence.”
Steve Armstrong, managing director of Logically Secure, was, he admitted to SC, offering a product to help with compliance. Still, he added, “the people here are selling a product they'll slap in that will be trying to map on what you need against their product.”
The problem goes slightly further than that. “There's so much personal information that is percolated across our environment that there is no product that can actually understand your business,” explained Armstrong. And he added, people really don't understand just how wide the definition of personal information becomes under GDPR. It can include cookies, ip addresses and certain hostnames.
Compliance with GDPR, said Armstrong, is going to require more than just a financial commitment: “It's going to be this strategic and fundamental rethink about what is data, what is non-personal data and what is personal data. When people get into it, they're going to be scared as to how much data is personal.”