| > I think its articles difficult to understand AINAL, I am a security/privacy consultant. I have a strictly technical/security background but didn't find the GDPR that hard to understand at all. Actually, I was pleasantly surprised that the text itself was quite easy to read, even though really understanding the consequences requires a bit of background research. A year ago, I got CIPP-E certified in a month just by self-study. > I found it is very difficult to translate from the regulation text to code, to actual implementation Well yeah, I'm with you on that one. I think it is not because the text is too vague, but rather because it was written in a way that allows companies to implement it in a way that fits their size and the sensitivity of data. Art. 32 is the most important one for security/technical protection. It allows you to implement security controls the way you see fit, as long as you can demonstrate that you made an appropriate decision based on the risk of the data. I think that is the strength of it, not its weakness: A small company doesn't need formal authorization processes if they can show that the user administrator knows all personnel personally and issued the correct authorization profiles for the roles. Telephone numbers from contacts don't need to be protected in the same way you need to protect medical data. The advantage of the wording is that the controls just need to be "good enough". The disadvantage is that there is no checklist of security controls to take, and hence, you never know for sure whether good is really good enough until you had a visit from the data protection authorities. That remains a problem, but I think if you can explain your reasoning, they might disagree, but if the reasoning is solid enough they won't fine you for it because you can demonstrate you acted in good faith. Therefore it is important to document the reasoning behind your decisions. > I found this regulation put too much burden on small businesses. For a small company, setting up the "records of processing activities", doing a basic risk assessment and setting up processing agreements can be done in a couple of days. I don't think that's too much a burden. For many of my clients it helped them to identify weak spots in their security, which is a win-win for both the company and their customers. |