A privacy maturity model, Part 1: Requirements

My post for today takes the now-forgotten subject of software-process disciplines, in this case the Capability Maturity Model (CMM) (link) and proposes it as a sustainable, repeatable, and justifiable route to privacy compliance. The CMM’s method is a sharp contrast to the most common current methods, which generally come under the label of ‘Agile’ (link) which I have found, more often than not, serves as a nice-sounding synonym for ad-hoc development. Continue reading “A privacy maturity model, Part 1: Requirements”

Belgian DPA recommends taking 13 steps now

The Belgian DPA (hereafter referred as CPP, to reflect its official name, Commission for the Protection of Privacy) has issued GDPR-preparation recommendations in the form of 13 guidelines for companies processing personal data. The English-language summary below is taken from a law-firm website (link) (the originals were issued in French (link) and Dutch (link) only).

The good news is that the CPP has now set some priorities, giving data controllers and processors an idea of what the auditors will be looking for in the early days after the GDPR’s effective date. The bad news, at least as I see it, is not only is the guidance mostly vague, but also that there seems to be an embedded assumption that all of this is feasible within a short time frame. Continue reading “Belgian DPA recommends taking 13 steps now”

Building a history of compliance efforts

Suppose it’s your first day on the job as a new GDPR consultant at a company. So far most of the company hasn’t done any preparation, but you’ve met with the legal team and found that they’ve studied the legislation and guidance. How can they help you at this early stage?

For one thing, your legal team can help you define what kind of artefacts (IT slang for any tangible piece of evidence; it can be any sort of file, email, paper document, etc.) will be useful in demonstrating a good-faith effort to comply with the legislation. What can you create that will be useful for your legal team?

You might want to draw some hypothetical scenarios,  such as: Continue reading “Building a history of compliance efforts”

Equifax breach, part 2: is this our future?

The Equifax data breach continues to reverberate in the media, raising various issues that pertain to data security and privacy.

Asymmetry between errors and consequences

These issues present an asymmetry, what risk theorist Nassim Taleb refers to as ‘convexity’ (link), between the degree of negligence on the part of the data owner and the extent of the damage. In options theory, a convex payoff means that, in exchange for a small, defined loss, you obtain the possibility of an unbounded gain. The usual example is an exchange-traded option to buy or sell a financial asset. (Many people also think of lotteries in this context, but the analogy doesn’t apply, since lotteries are artificial, arranged as games of chance with known probabilities and a maximum payout.) Continue reading “Equifax breach, part 2: is this our future?”

Whither Agile in the age of GDPR?

“In theory there’s no difference between theory and practice; in practice, there is” – Yogi Berra

Agile and its manifesto – In theory

If Berra’s maxim applies to programming it presents a problem for many modern development operations. In my experience, most companies label their development method as ‘Agile’. Adherence to this method usually involves daily short meetings and some software to make sure that small, discrete tasks and problems are tracked. Here is the Agile Manifesto (link):

Continue reading “Whither Agile in the age of GDPR?”