• United States




It was 35 days to GDPR, and a lot of sleepless nights

Jun 20, 20183 mins
ComplianceData and Information SecurityGovernment

GDPR went live on May 25, 2018. A month before the implementation date, attendees at the RSA Conference struggled with being fully ready.

struggle to cultivate digital primary2
Credit: Thinkstock

If regulations are waves, then the General Data Protection Regulation (GDPR) is a tsunami. The GDPR is a European Union regulation on data protection. While other regulations are somewhat limited in what they do, GDPR touches every aspect of data. From the collection, processing, transmittal, application development, data handling and much more. Any firm that handles personal data (and GDPR has a pretty wide definition of what that is) has a lot to do to be GDPR compliant.

On April 17 and 19, I lead two Peer2Peer sessions on the topic at the 2018 RSA Conference. When GDPR went live on May 25, firms were faced with reality that they had to be fully compliant. The predicament many attendees were facing was that even with all the preparations they did (and in some cases they weren’t all that well prepared), there was still a significant amount of uncertainly if they were doing enough.

The attendees were from a wide range of organizations. Many of them were from US-based firms that have a large presence or headquarters in the EU, and did handle in-scope data.

There were a number of areas where the attendees had concerns. The sessions focused on the following areas:

Where do we even start?

“Let’s start at the very beginning, a very good place to start” is a line from The Sound of Music. But GDPR is so vast, many attendees were struggling to understand just where to start their GDPR work. Do they start at the database, the application, developers, storage, elsewhere?

Am I a processor or controller?

Article 4 of the GDPR creates two very different roles, data controller and data processor. Sometimes a firm is one, sometimes both. But attendees struggled to come to terms with their GDPR identity. Some were hybrid in what they did with personal data. Does that mean that had to do double the effort?

Data mapping

GDPR requires an entity to know exactly where all of their data resides, the data type, and then to classify it. This is a substantial effort that many firms struggled (and are struggling) to complete. An observation shared was that Y2K was about finding every 2-digit year code within application code. That was a huge effort for some firms that had thousands of applications. GDPR is orders of magnitude more difficult as firms need to know the deep dark details of every aspect of PII they acquire and store.

Just what is in scope?

Attendees grappled with defining just what in-scope GDPR data is. There is no conclusive definition of what is or is not considered in-scope for GDPR, and therein lies a huge challenge.

Can my company even stay in business?

We spoke about how Drawbridge divested their advertising business due to the complexities they would have had to gone through to be GDPR compliant. Some attendees questioned how their firms would also be able to comply. (Note that on May 10, 2018 – Klout announced they are ceasing operations on May 25, 2018; which is certainly due to GDPR).

The main theme that emerged is that GDPR is a huge and that the EU regulators are taking it very seriously. Attendees struggled thinking that they are not really sure if they are ready. Many had a lot more questions than we had time for answer. GDPR is going to keep things very interesting.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.