back to article Adrift on a sea of data: Architecting for GDPR

I’ve spent many hundreds of hours listening to sales pitches from technology vendors but it’s only during the last year I’ve started to find them rather depressing. That’s been thanks to the arrival in 2018 of the European Union’s General Data Protection Regulation. For example, I was recently pitched to about one particular …


This topic is closed for new posts.
  1. deadlockvictim

    Title: Architecting for GDPR

    "Architecting" is such a horrible word. Architects design. This is what they do. Journalists don't journalist, they report, write, investigate. Editors don't editor articles, they edit them and so on. I'm sure that dictionaries may list "architect" as a verb but they are just doing the English language a disservice.

    Down with this sort of thing!

    1. Spanker

      Re: Title: Architecting for GDPR

      I suppose judges don’t judge or prostitutes prostitute?

  2. fnusnu

    Encrypt your SAN?

    If someone carts off your SAN you probably have bigger things to worry about...

    1. Mike Timbers

      Re: Encrypt your SAN?

      In the days of Novell, I once had a client call me first thing to say his PC was saying "Server not found". "So I went to check on it, and I couldn't find it either", he said.

  3. Zippy's Sausage Factory

    Does anyone know what GDPR compliance looks like yet?

    Given that it's most likely that this legislation will have to be tested in the courts before most lawyers are 100% certain, I'm guessing no.

    1. Doctor Syntax Silver badge

      Re: Does anyone know what GDPR compliance looks like yet?

      Yes. It's doing things the way you should have been doing them all along.

    2. Hollerithevo

      Re: Does anyone know what GDPR compliance looks like yet?

      I'm having to put processes in place and I see it as a plan for regular scrubbing out at the back of cupboards ('whose data is this? It's got mold all over it and if nobody claims it I'm throwing it away') and politeness: 'Hi, we hold this info about you; are you still cool that we keep hold of it?'

      It's also like being a good date: be clean, be clear, and keep checking that she still likes it.

  4. Doctor Syntax Silver badge

    "By defining rigid data retention policies and destroying data when the policy says you should."

    Even before you get to data retention you should only collect the data you actually require. This may be rather less than manglement, particularly marketing, insist they want.

    In fact, a good place to start would be by taking away all marketing's toys: their PCs, mobiles, network shares or whatever and only give them back after auditing for PII that shouldn't be there. Also, take away their budget and only give it back to them as required for projects signed off by your data protection compliance officer. Because marketing's culture is almost certainly antithetical to that you're trying to build.

    1. Adam 52 Silver badge

      That's one solution, and likely a highly effective one because once you've taken away your organisation's ability to sell it'll go bust quickly.

      Why do IT people seem to regard business as a war between IT and everyone else? What's wrong with working together?

      I had a highly productive meeting with one of our Marketing Directors yesterday. Her response was "we know we're not good, we'd like to change please help us, by the way here's a third party we use can you help us make them compliant too."

      1. DBJDBJ

        Ah ...

        He has sold himself to you ....

    2. Hollerithevo

      Dr Syntax, I too am replying to say that Marketing are avid for information because information = leads = sales. I work closely with Marketing and Comms and they are expected to reach targets. What you need to give them is safe, easy ways for them to do what they need to do. I would rather my team didn't source their own suppliers, and so to stop every little vendor from getting hrough the door, I am proactive, I find out where the pain is or is likely to be, and I give them solutions that are fast and cheap and work. Because they are my customer. It's up to me to make things secure and to meet GDPR even when they can't be bothered. Otherwise it is like making your customers do one of those irritating captchas at the end of forms: you get them to do your anti-spam for you, because that's easier than ensuring the whole system is safe.

      Not that I don't think you are a wonderful person.

    3. Mockduncan

      Then marketing can't do its job, sales have no leads, your employer makes no money and your problem of driving GDPR compliance is over.

      Maybe the better approach is to recognise that Marketing is the engine of the business and the data compliance officer is a business support function - educate and work with Marketing to ensure they understand the regs and can continue to ensure that the business is successful so you have a job.

  5. Richard Parkin

    Liability not asset

    Only when people start to regard the personal data they hold as a liability and not an asset will security improve. And that means bigger fines for loss of data or prison.

    1. JerseyDaveC

      Re: Liability not asset

      That's an interesting way to put it. I say to people that they should assume they'll be hacked (e.g. by zero-day ransomware) and hence plan to mitigate the intrusion rather than just design a protection regime. Like the idea of considering PII as a liability in the same context.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022