back to article It's holistic, dude: How to dodge the EU's £17m data regulation sting

Holistic IT is hard. There are those among us who want to purchase hardware, software, services or so-called turnkey "solutions" – as vendors call them – bearing logos and stickers and otherwise don't require any architect-level thinking. None of us wants to dive deep into compliance regimes to understand what we need to do. …


    Ahh, the compliance industry. Truly a gift of employment to those who would, otherwise be...

    ... unemployed.

    1. craigb

      Re: Ahh, the compliance industry. Truly a gift of employment to those who would, otherwise be...

      To be fair, a lot of compliance people would be out of work if other staff and management were just compliant with reasonable common sense.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ahh, the compliance industry. Truly a gift of employment to those who would, otherwise be...

      ... unemployed. unemployable.

      There, FTFY

    3. TRT Silver badge

      Re: Ahh, the compliance industry. Truly a gift of employment to those who would, otherwise be...

      To read the full text of this article, you will need to purchase the complete ISO framework reference document at a mere £100. To implement the contents of the article, you will need to purchase the compliance toolkit at £656 + VAT. And membership fees. And test booking fees. And sewerage charges. Oh, did I mention the deposit?

  2. Doctor Syntax Silver badge

    Years ago the corporation I then worked for had a massive IT security review put in place owing to the fact that they'd been very publicly embarrassed (I doubt the same cause/effect relationship operates today). As I was being eased out I got lumbered our business's end of it; no problem, I knew where a few of the bodies were buried and managed to find a few more. It was a massive tick-box operation - exactly what you'd expect from an ISO-9000 driven organisation.

    The results of the first stage were reviewed by someone from security. We had words on account of my refusing to tick the box to the effect that bought-in software had no undocumented functionality. I pointed out that undocumented functionality would cover bugs* and suggested that if he wasn't happy he go and have a word with procurement to see if they could get statements to that effect from Microsoft etc. A little while later the review was signed off with the box still unticked. I heard later that the reviewer had no IT background, he was from physical security.

    And, as far as I know, none of the bodies were ever excavated.

    *I'm pretty sure that what was meant was that there were no time-bombs or back doors built in, this having been in the news not long before. They should have been a little more explicit when writing the document.

  3. fruitoftheloon

    A well known outsourcer

    Apols for AC, normally I don't do that...

    About 13yrs ago a well known UK outsourcer, that isn't currently terribly well regarded in the public eye (a little unfair I think) was exposed to a fraud in one of its' financial services bits, dodgy folk ran off with £300k [or thereabouts]. This was in the public domain btw.

    I was asked to accompany head of risk/audit to see the Group FD, who's response was [I quote] "I don't f'ing care what it costs, f'ing sort it and then get a proper risk mgmt system in across the whole group, NOW"

    Unfortunately he did mean NOW, well, we had the crux of it working in a few months, global rollout with 18 months.

    With 4 x n-tier environments, PROPER controls, it was in situ for [I think] 8yrs or so.

    It's amazing how snappy IT depts and young/keen ISVs can be, it probably helped that the budget was (we added it up afterwards) about £3.5m

    All of which & this article all contribute to me hopefully improving on the IT architecture and system design for my startup (IT budget about £100 a month)

  4. Anonymous Coward
    Anonymous Coward

    Four words

    Due diligence. Due care.

    Done right you have a chance of proving you tried when things (inevitably) go sideways. Amazing how little of both are actually done. The only metric these days seems to be time (i.e., do it fast).

    1. Doctor Syntax Silver badge

      Re: Four words

      The only metric these days always seems to be time

      And money. Do it fast and cheap.

      1. Charles 9

        Re: Four words

        And the GDPR now requires you do it RIGHT. So now you're assailed from ALL THREE corners. Investors want it cheap for RoI, competition forces you to do it fast to avoid being beat, and now the law forces you to do it right or get swamped by legal consequences.

        IOW, "Pick any TWO" is not an option anymore. Now it's All or Nothing.

      2. Tom Bell

        Re: Four words

        I'm reminded of the old adage

        Fast, cheap, good

        Choose any two.....

        1. Charles 9

          Re: Four words

          But like I said, that's not an option anymore. Now it's ALL or NOTHING.

  5. EnviableOne

    DPA wanted you to agree you do the right thing

    GDPR wants you to prove it

    1. Anonymous Coward
      Anonymous Coward

      Succint, nice work

      Have an upvote, I really like that. Also in the article there's a phrase about "probably" checking security. Make that definitely: part of the GDPR deals with detection and disclosure, so you will need to be on top of that. No probably about it.

  6. Anonymous Coward
    Thumb Up


    The only thing I'd make explicit is "document, document, document." Document the compliance issues for your firm; document the requirements you derived from your list of issues (because reasons); document steps you've done to meet those requirements. If nothing else, you've covered your backside. Further, you hopefully won't be stuck in that job forever, turnover in IT being what it is, so your replacement will probably be kissing your toes as you go out the door. That and it'll still cover your backside after you've moved on. [Keeping several copies is also a good idea. Off-site!]

  7. Michael Felt

    Rules are made to be broken...

    When I was younger - I thought it meant I could break "the rules". My father, much wiser (and a law-maker) explained the purpose of a law is to restore balance where there is none, or more likely - status quo is getting out of balance.

    So, when a new law comes, or better a law is adjusted - it is like putting a new balance on a tire. Now the tire is balanced and travel is smoother. However, over time: wear and tear changes in unbalanced way. The collective balances, aka law/rule is broken.

    Another crucial point is that a law/rule be executable and/or enforceable. That is another story BUT I think it will be the key issue here - weights have been added - but not to the wheel and now we will be defending ourselves that we used the best measures ever - but the vehicle would not go straight when I held the course steady - and would not change course when I tried to take corrective action.

  8. Neil Charles


    "Marketing and sales are going to hate GDPR a lot more than IT."

    Marketing and sales are going to scream blue murder once they pay attention and/or stop pretending that GDPR isn't going to happen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like