Is GDPR fine or is GDPR fines? The jump from Minimum Viable Preparation (MVP) to Minimum Defendable Measures (MDM)

A lot of organisations took what’s best described as a MVP (Minimum Viable Preparation) approach in the run-up to the GDPR becoming effective in May 2018. This was understandable given a general lack of clear guidance, the cost and disruption of in-depth preparations, uncertainty over the impact of Brexit and the mixed messages regarding enforcement.

Nothing much happened for a year, during which time MVP seemed to many like it had been the right decision. However, the recently proposed penalties for BA and Marriot (£183m and £92m respectively), seems to have sharply nudged organisation into reassessing that approach and looking again at their compliance posture.

The GDPR impacts a number of areas: E.g. Data Subjects’ rights, Data Security, Lawfulness of processing, and it interacts with marketing (PECR). Whilst fully addressing all of these is desirable, where should organisations sensibly first focus their renewed efforts? So far, the really big proposed fines have been related to data security and personal data breaches. This makes sense, as whilst the lawfulness of processing is very important, the negligent loss of personal data to the depths of the dark web is calamitous. This is the case whether it was being processed lawfully or not.

The regulation itself doesn’t get that specific as to how organisations should secure personal data. With the exception of naming literally a handful of technologies, they opted instead for the catch-all “appropriate technical and organisational measures” – the ‘Security Principle’. It was designed to remove the check list defence and to stay evergreen as both guidance and as a regulatory test. In practise it means that if you get breached, you need to be able to demonstrate your security was appropriate to the risks of your data processing and the current threat environment. With this in mind, we see organisations now moving to more of a MDM mindset (Minimum Defendable Measures).

Which brings us to one key area of defence: The firewall. “Everyone has a firewall”. The problem is that traditional firewalls operate at the network layer but most hacks are now at the application layer. Traditional network firewalls can’t inspect these threats, so it doesn’t know to block them.  A WAF can. Even encrypted traffic.

A WAF is a Web Application Firewall.

They are appropriate, cost effective, and they work. I’d highly recommend one. Ours are also really easy to use.

edgeNEXUS makes it noticeably easier to create, secure and sustain an exceptional application delivery experience. 

Complexity is for source code. Not the user interface.

edgeNEXUS makes it noticeably easier to create, secure and sustain an exceptional application delivery experience. 











About John Payne