27 Jun The GDPR Bandwagon – Identifying the Snake Oil Salesman
Right now GDPR is becoming synonymous with ‘Get Rich Quick’ money making schemes that almost any business can tap into in order to exploit the not so well informed among the business community.
And so, webinars and training programs are springing up left, right and center to scare you with the horror of what is to come, and how the people running those programs can provide you with the panacea for all your GDPR woes. This is tantamount to paying a guy you just met in the pub for financial advice.The effect of all this results in:
The desensitisation of the business community who start to ignore the true implications of GDPR, thinking they are just scare tactics.
The proliferation of ‘Bad Advice’ from organisations who have, at best, only partial understanding of what GDPR requires.
A false sense of security to businesses who think that by introducing a control and ticking a ‘compliance box’ they have nothing to worry about.
Overly fearful managers who believe they need to spend a fortune on introducing drastic changes in order to protect personal information.
A negative impact on the image and credibility of the genuinely experienced and qualified experts from the security and privacy community.
So what is the answer?
Well, for a start, I am not saying to ignore the guy at the pub, he may well be a financial adviser (or information security specialist in this case)! What I am saying is to vet your sources.
Can they demonstrate a consistent involvement in information security for at least the past 5 years?
Do they hold a reputable Information Security certification such as CISSP, CISM, C-CISO, CISA, etc?
Do they hold a reputable Data Privacy certification such as CIPP, CIPM, CIPT, etc?
Check their service reviews, testimonials and references.
Understand what you are actually getting by attending these events
Most events right now are simply awareness initiatives that provide you with information on ‘What’ GDPR requires and ‘What’ the implications of non-compliance could meant to a business. (Along with the mandatory sales pitch) This level of understanding is still crucial, but it is not the end of the journey. Once you understand ‘What’ then you need to figure out ‘How’, and unfortunately there is no one-size-fits-all to address this.Dealing with the How will take effort to determine how GDPR impacts your business specifically and will require that you tap into your vetted sources in order to have any confidence in the final solution.
Bear in mind that GDPR is a law, you cannot delegate responsibility or accountability and you must do your due diligence. This includes the service providers that you choose to help or advise you with GDPR requirements. If you choose to neglect your responsibility for due diligence in the hope that a snake oil salesman will solve your problems then you only have yourself to blame.
I would like to say you get what you pay for, but unfortunately there are plenty of snake oil salesmen that charge a fortune for their wares!
by Steve Gibson, Information & Cyber Security Specialist