Everyone’s talking about GDPR, but who’s got their head around it?

Net Results: General Data Protection Regulation the top topic at RSA conference

RSA security president Rohit Ghai said that GDPR was making data management and privacy a prominent issue all over the world, not just in the EU. Photograph: iStock
RSA security president Rohit Ghai said that GDPR was making data management and privacy a prominent issue all over the world, not just in the EU. Photograph: iStock

Europe’s General Data Protection Regulation (GDPR) goes live in less than a month – May 25th – and, if you think some European organisations are still in a state of befuddlement, you should see the Americans.

At last week’s annual RSA Data Security Conference in San Francisco, which drew close to 50,000 attendees, GDPR was one of the top buzzwords even though, or more likely because, it was clear many attendees still hadn’t got their heads around it at all.

RSA Conference advisory board member and Virginia Tech professor Wade Baker analysed 15,000 conference call submissions from the past few years of the event and, for 2018, GDPR ranked among the top three topics, trailing only IoT (Internet of Things) and ransomware.

GDPR's unloved status was highlighted by the poet and storyteller Rives, whom RSA employed to roam and comment on the event

Hardly a session I attended didn’t at least reference it, and that included one on autonomous vehicles (they collect data, that’s why).

READ MORE

While it may have featured in the top three topics at RSA – and was the subject of both a full-day and a half-day seminar on Monday – GDPR wasn’t what you might call popular.

Funny presentation

GDPR's unloved status was highlighted by the poet and storyteller Rives (yes, a one-word name, like Cher or a Russian hacker) whom RSA employed to roam and comment on the event. Midway through RSA, Rives made a very funny presentation on the baffling infosec jargon he'd heard (including the word "infosec"), and what he'd decided each term meant (iti.ms/2Jt2baj).

On stage during Wednesday’s keynotes, he observed that everyone was talking about this GDPR thing, which made him feel like he was at a party where everyone was talking about a guy named Kevin, and he was the only one in the room who didn’t know Kevin.

“And just so you know, I don’t think you like Kevin very much,” he said to laughter.

That was clear just from looking at the shellshocked faces of the audience during the week in a briefing – with an emphasis on “brief” – entitled “The top ten GDPR challenges and how to solve them”. The session was 20 minutes long. Two minutes per top challenge.

To me, a 20-minute briefing for this notoriously complex regulation just seemed to epitomise how the US wants to deal with it: Sum it up, and then make it all end quickly, please.

I couldn’t resist going along just to see how the presenter could possibly cover that much ground. To be fair, the lawyer doing it talked fast and flew through the highlights, if they could be so termed. But the audience packing the room, and straining to hear the speaker over the cacophony of the neighbouring exhibition hall, looked increasingly alarmed as he rattled off each challenge and then, amazingly, having polished off all 10 in under 20, moved to questions.

Too late to sign up

Though not before noting that, as GDPR would come into effect in, gulp, a month, it was of course too late for anyone there to have their company sign up immediately for the Privacy Shield data exchange agreement. But they could also use SCCs (standard contract clauses), he said.

GDPR is the first indication that something is going on. If we don't take control of our destiny, it's going to be controlled for us

At that point I looked alarmed myself, and thought: "Umm, perhaps not if the European Court of Justice has anything to say." But the presenter avoided mentioning that the Irish High Court is referring a case to the ECJ, which could very well overturn both the adequacy of SCCs as well as Privacy Shield itself.

Explaining all that clearly wasn’t going to fit into the briefing’s allotted 1,200 seconds. However lots of companies on the exhibition floor – most of them, actually – had something somewhere on their booths about GDPR. And many of the dozens of conference sessions were specifically or peripherally on GDPR.

GDPR came up in many of the keynotes, too. In his, Cisco chief security and trust officer John Stewart chided the tech and security industry for not doing enough to prevent what he called "incidents", and said that if the industry didn't improve – demanding security be to the fore in products and services, for example – it should expect more laws and regulations.

“GDPR is the first indication that something is going on,” he said, concluding, “if we don’t take control of our destiny, it’s going to be controlled for us.” A bit dramatic, but yes.

Full compliance

In the event's opening keynote, RSA security president Rohit Ghai said that GDPR was making data management and privacy a prominent issue all over the world, not just in the EU, not least because – as was emphasised over and over by presenters at the event – organisations outside the EU will have to handle the data of anyone inside the EU, including temporary visitors, in full compliance with the GDPR.

Or, as we were warned in the 20 minutes of top 10 challenges, risk gasp-inducing fines and very likely, litigation (lawyer up, he cautioned, you’ll need counsel).

No wonder, then, that Rives had a slide stating GDPR must stand for “G*d Damn, People Really like to talk about this GDPR thing.”

Just imagine the conversation after May 25th.