Re: We don't need more regulation
"It is applicable as information about Brits is involved."
Article 32 says ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
Rightly or wrongly the sort of management thinking illustrated here is likely to look at the mention of costs and decide they've got a let out.
In any case, I'd have thought US citizens required something better than 2nd hand protection. A business that carries data of this sensitivity and volume should in any case be subject to more active regulation than GDPR which is passive and part self-regulatory. GDPR depends on either an aggrieved individual making a complaint or the organisation itself reporting issues to the regulator. An active regulation would be a requirement for a license and annual audits of which the security aspect would include ensuring systems were patched and maybe some penetration testing. Without that there's a likelihood that management will adopt a wait and see approach and try to trade the cost of being caught against the probability of being caught.
With a license and audit approach things change from fines as a cost of doing business to doing the job right as a cost of staying in business. It's a difference that can focus the managerial mind amazingly well.
Biting the hand that feeds IT
