IT security loves fear, it's the very foundation upon which it is built. Much like the physical security world, without the fear of the possible, there would be no risk and no purpose to reduce it. It's therefore no surprise then that whenever change rears its head, it invokes a flurry of doomsday commentary of varying degrees of panic.
Ever since the UK's Information Commissioner indicated that despite the UK intending to leave the EU, the adoption of the GDPR (General Data Protection Regulation) is almost certain, and this pattern of behaviour is notably present. Some are anxiously looking for detailed guidance on how to become compliant, some are banking on the slight chance of it being thrown out with the EU whilst others sigh and shrug themselves into a depressive state of inevitability, as if they sit upon a train they cannot stop nor control.
That which links all these perspectives is a sense of negativity that the GDPR is just another headache which information security leaders could live without. How dare those meddling politicians force us to be more secure... But how many of us have read the GDPR? or EU regulation 2016/679? to give it it's real name.
What if I told you it was written to make information sharing and transfer across Europe and even the world easier for businesses? Thats right, the GDPR isn't intended to be repressive, despite other articles may have you believe.
Even for the least attentive of us, it is written within the first two pages of the document:
(9) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union [...] Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
In a less sleep inducing format, the GDPR is intended to remove the barriers and issues associated with trading within localised data protection laws. Today, when a UK based organisation wishes to conduct business in a European member state which involves the storage of transfer of information, there is often an prior exercise of acquiring and understanding local laws (or possibly just unintentionally falling foul of them), particularly in those member states with more stringent rules, such as Germany. As a result this added burden may and has undoubtedly made cross border trade less attractive, something which troubles the EU.
Yes the GDPR packs a lot of content, a big sting and lots of change for some. However, it's not unlike most of the the EUs other directives and regulations; it seeks to create commonality across all states to reduce waste and increase trade. Think European free trade and financial services passporting. All of which have had a positive impact on UK and European economies alike. Ironically things that most wish to retain after the UK departs the EU.
The GDPR is not scary, it's an opportunity to make things better and more cooperative. It's a headache which could cure other headaches. Levelling the playing field has but one intention in all cases; to make things fair and simple.