Episode Description
What We Discuss with Naomi Buckwalter:
- What is GDPR? Privacy vs Security vs Legal?
- Does an AU company with data is in the EU need to comply with GDPR?
- Is GDPR in Cloud different?
- What are the potential landmines that most of us are not aware of?
- How do small to mid-size business deal with the overhead of being a GDPR compliant?
- Where do small to medium businesses start with GDPR?
- What is the intention behind GDPR?
- Do startups have to worry about GDPR?
- What part of EU citizen data is sensitive ?
- Can GDPR be automated?
- And much more…
THANKS, Naomi Buckwalter!
If you enjoyed this session with Naomi Buckwalter, let her know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Naomi Buckwalter on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: happy Halloween, everyone. Welcome to the Halloween special episode of Virtual Coffee with Ashish. Today’s guest. Well, let me just bring her on. Hey, happy Halloween.
So, for people who are not familiar with you Naomi, and haven’t been following all the awesome LinkedIn content you’ve been producing for so long, who is Naomi and what was your path into cybersecurity?
Naomi Buckwalter: Happy Halloween guys. I’m Naomi Buckwalter and I I’ve been doing cyber since I think I were on 2006 now is like the first time I’ve dabbled in it. I was a developer before that and I transitioned when I begged the person who was hiring for a more senior level role in their penetration testing team.
I said, Hey, I would really like to get into security. How do I do that? And I literally begged and eventually got a job. As a junior level person in his team. So that’s how I got started. And I to say that was like 14, 15, 13 years ago by now. And ever since [00:01:00] then, I’ve done security engineering, security, architecture, and security governance, and privacy.
And I apologize because this is probably the most boring topic that you can come up with Asish I’m so sorry for that. So I’ll try to make it interesting, but GDPR is not interesting. Like it is,
Ashish Rajan: you know, what, when two fun people combine, we can make any boring topic. Exciting. Specially like looking at us, talking about GDPR.
I’ll be surprised if it doesn’t people don’t think that this is a fun episode, by the way.
Naomi Buckwalter: I’ve done GDPR for a couple of firms. Now, this is my second time doing this, but I am also creating a course in cyber for GDPR compliance.
And that is where I have, most of my expertise is literally book knowledge and then a little bit of a few years of like actually implementing this. So that’s all I’ve got. It’s no, one’s really an expert. For here in security world is more of a privacy thing. So again, it’s like one of those caveats I like to give.
I’m not a lawyer. So if there are any,
Ashish Rajan: Oh yeah, good, good.
Naomi Buckwalter: Your legal team, because I [00:02:00] know it from a security perspective, but there are so many little nuances that only your. Your legal team should be able to talk about.
Ashish Rajan: So that’s amazing because there’s so much to unpack there. the legal side and non legal side. but before I kind of jumped into the GDPR because we have a cloud security audience as well.
What does cloud security mean for you?
Naomi Buckwalter: Cloud security for me is just like, it’s so difficult to actually protect because you’ve got your. Boundaries everywhere. You don’t really have a good sense of where everything is. So it’s really hard to track and maintain things. if you think about cloud, it’s really someone else’s computer, right?
So it depends on like what services you’re using, like where you’re using infrastructure as a service. You really don’t have your hands on the actual machines that are running the things you just have. Like the OS builds off of a hypervisor, same thing with PAAS and SAAS like the higher levels you go through cloud, the less control you have.
And for me, cloud security is like, how much control can you get at the level [00:03:00] of access that you’ve been given? So for cloud security infrastructure, as a service in particular, you’re going to be looking at things like, you know, more granular access controls. IAM, policies, things of that nature.
Instead of walking down to the data center. And I have a funny story about that, but you go to the data center and now you can like do things on the actual server. You can actually log into the physical server, which you can’t do. If you’re in Azure, AWS, Google cloud, you just can’t do that. If you can, let me know how you actually did that.
Ashish Rajan: I was going to say that’s a very interesting. Way to put this across because you’re right. You kind of lose the sense of control as you kind of go up as well. go up up the ladder for SAAS or PAAS, but coming back to the whole GDPR thing, what is GDPR again for people who don’t know what it is.
Naomi Buckwalter: Get your pillows ready?
I basically just had, had a fight with my legal team. The first time I ever did this because to me, privacy and security are completely separate domains. Like privacy is a law. Obviously privacy laws are not going [00:04:00] to be something within the information security domain, as we know it. The CISSP told us anyway.
but the more I actually got into it, like obviously security enables privacy. You really can’t have privacy without good security. And so I ended up kind of sucking it up and being like, you know what? Privacy is kind of our domain now. So it’s something I’ve been preaching a little bit and be like, Hey, guess what?
We have to do privacy now too. On top of all the other things that we do, all the 10 domains in the CISSP plus. All these other things. No, it’s privacy. and especially if you go into these smaller companies, they’re going to expect you to do privacy and security. So that makes sense.
Yeah, but it comes with, I get it. Not a lot of people are going to know the distinction between security and privacy, but people in security are like, well, that’s not my job.
That’s the legal job. so GDPR, it really quickly as a privacy law that applies to, the protection of personal data of the EU residents or EU citizens, living residents.
Of any EU people, it doesn’t have to be citizens if you’re passing through. Yeah. You’re [00:05:00] technically covered. So, and, and the important distinction here is any company, no matter where you’re located, you need to comply with the GDPR. No matter where you’re located. So even if you’re in the United States, or if you’re in the EU, Africa, Asia, you still have to comply with GDPR.
It’s a law, basically. There’s no way around it. You have to do it.
Ashish Rajan: So you, have to comply with it. If you are someone who is. Holding onto data of European citizen.
is there a differentiation between if you process European citizen data versus storing it is that if you do both or either you still comply
Naomi Buckwalter: yeah. Like technically processing and storing has the same thing, like under the GDPR in here, get your pillows ready, but there’s a definition of a processing is, and.
Includes the transmitting, the storage, like the manipulation.
Ashish Rajan: Correct. You see, it’s passing through when you see it, like, Oh yeah, you need to be GDPR compliant. I’m like, Oh, I just saw it. I’m not even touching it.
Naomi Buckwalter: Some like some things like if you are a friend of a person and [00:06:00] you just have a friend like a.
A friend in Spain or something, and you’re like, Hey, can I have your personal contact information? It does not apply in that case. In most cases, it’s going to be a processor of like a large set of data, but there are little nuances there in GDPR worlds that, you know, you really should talk to your legal team.
Guys, if you have questions about if you’re a processor or a controller, considered one of those under the GDPR and then what you have to do. So, there are a lot of different.
Ashish Rajan: So at what point does it become a legal thing versus like a security, privacy thing?
Like where would that distinction be? I guess.
Naomi Buckwalter: Yeah. So your security boundary really includes the principle of GDPR of integrity and confidentiality, you know, the CIA triad, right? Yeah. Well, GDPR kind of covers everything, but availability, it’s not as important, but under GDPR, The info at the InfoSec team really has to care about that one principle, integrity, and confidentiality.
So everything else is really under the legal team. I can get into that more, but there’s a lot of [00:07:00] paperwork, a lot of evidence gathering where it comes from the InfoSec teams. They have to be prepared to. show evidence that they are following all the integrity and confidentiality things. So I can get more into that if you want, but it’s just,
Ashish Rajan: no, the pillows starting to come out from the legals side. I’ve got a question here from Vineet as well. If you’re an Australian citizen and your data is located in the EU data center, do we need to be compliant with GDPR?
Naomi Buckwalter: you have to comply. It doesn’t matter where your data is stored. And that’s actually a really great question. It’s like, so all my data is in an EU data center. Does that make us compliant? And the answer is no, there’s more than that. It’s not just where your data is stored. It’s like what you actually do with this data.
So under the GDPR, there’s seven principles and one of them is integrity and. Confidentiality, but, there’s, there’s other ones, you know, data storage where it, that is data minimization, you know, how much you’re actually using it for what purposes? Leak, legality, transparency and fairness. Like all this stuff.
[00:08:00] seven principles under the GDPR have existed before the GDPR actually was even a thing. So the seven principles of. Good. Privacy management has been around since forever. So if you’re not doing those seven things, like you’ve got an issue. You’ve not just not compliant with GDPR, but you’re not compliant with like a whole bunch of other privacy laws that you should probably care about.
But just the fact that you’re an Australian company with data in the EU does not make you automatically compliant. That is like the number one thing that I hear all the time. So if you guys have heard of like privacy shield, instant standard contractual clauses, all that really, really boring stuff, all that legal ease.
That kind of covers you in a way where you can actually store data outside of the EU, but a caveat to that privacy shield has been like knocked down a couple of years. So you want to really rely on standard contractual clauses for that.
Ashish Rajan: I think to your point, just the subtle nuance over here is that. if we are saying that I have data in my European data center, but, if I’m not storing a European citizen data, then I don’t have to worry about it or do I still need to think about it?
Naomi Buckwalter: Well, okay. So if you’re storing data, [00:09:00] that’s not personal data, then, you know, the GDPR does not apply to you.
Ashish Rajan: I think as good to clarify that, because some people would just go down the path like, Oh, but. I’m using the data center, I guess I have to be GDPR compliant
Naomi Buckwalter: no, it’s just personal data. So remember things are like your name, your email address, your IP address, like, and then any combination of things that could actually identify someone. So like your date of birth and your gender and like your, the hospital you were born in and like your sexual identity and sexual orientation, all those are like special categories of data.
So you want to really be careful what you’re collecting, what you’re processing, storing and stuff.
Ashish Rajan: the way that I think about this as only if you’re storing personal information in your European center data center, is that when you’re really looking at this, is that right?
Naomi Buckwalter: Personal data, any personal data of EU citizens and residents, right. Living residents
Ashish Rajan: if you’re a store data.
Naomi Buckwalter: Okay.
Ashish Rajan: Great, great, great, great, great grandfather data.
Naomi Buckwalter: Yeah. I don’t know. I think it’s, there’s a [00:10:00] thing in the GDPR. It’s like just for the people who are alive, I’m sure there’s something else. Like.
I’m sure there might be something within like the 99 articles of the GDPR where you’re like, no, you actually have to protect dead. People’s personal data, but you have a terrible business model. If you’re like marketing the dead people.
Ashish Rajan: I want to add another layer to this conversation now. So now GDPR, we spoke about it. but in general. What about GDPR and cloud? Is that any different.
Naomi Buckwalter: when we talk about cloud before, it’s all about perimeter and like micro-segmentation control of like granular, a very granular level.
So it is going to be a little different for people who actually need to implement GDPR security controls. so yeah, I would say it is. Different for sure. and it depends on what cloud you’re in too, because each cloud is going to have different services, that are maps down to like the GDPR control.
AWS has a very nice set of security services that you can use for GDPR. I would say Azure is probably even better because they have literally. Reams of documentation on [00:11:00] how to map specific services, Azure services with the GDPR control. And like they have a spreadsheet. I feel bad for whoever actually has to put that together because like you think security questionnaires are bad, right?
Like imagine having to write together a control map for GDPR and Azure services, like Oh, snooze Fest. So sometimes I’m glad what I do, but yeah, it really is different cloud security. GDPR in the cloud is I would say a little different than on-prem because on prem you have more control. Like you can go over to your data center.
And let me tell you a funny story about that since I had teased it up. So the first time, like the first week of one of the new jobs that I got, I had to go to the data center to do something, but I was trying to make an impression, so I wore high heels. Right. So I like. I didn’t know this, but it was my first time in their data center because I’ve been in other data centers where they didn’t have the raised flooring.
It was kind of the little grates. So like as a walking, walking, my heels got stuck in the [00:12:00] greats. So my, my shoe fell off. Right. And I’m like, you know what, why don’t I just walk around barefoot?
And then what happened was I was walking around barefoot in the data center and I ended up cutting my foot opening one of the pallets. Because one of the tasks that I was given was to like, count the skews. And so I like walked too close to one of the pallets and it was like wooden splinters sticking out.
And so I had actually cut my foot open and I was bleeding on the floor of the data center, like, and this is like my first week of this job. And I’m like, Oh, this is bad.
Ashish Rajan: And you’re like, I’m fine. I’m fine. There’s nothing wrong with me. It’s okay. It’s just blood. Don’t worry about this Halloween anyways,
Naomi Buckwalter: so bad.
But the thing was, nobody was in the data center. It was just me. And it was like, and I had to like call someone to get band-aids and I, it was, it was, it was a mess. And then I didn’t actually have access to the data centre or someone had to let me out. Someone had to let me back in and I was bleeding everywhere and I was like, I apologize.
I I’m. Much more professional than
Ashish Rajan: this hobby. Really [00:13:00] good for the Halloween theme we have, by the way, the story is great story for Halloween theme. I was going to say like, initially, like, Oh, I, I felt bad for you, but I’m like, Hey, this sounds like a storage is relevant for Halloween, but I connotation about living it up and dead people.
I think this is, this is really great. We’re definitely enjoying the Halloween theme. I feel I’ve got a question here from David Raviv as well. Hey, David. what are the potential landmines that most of us are not aware of? How do small to mid-size business deals with the overhead of being a GDPR compliant.
That’s an interesting question because most small to medium size businesses now are moving into the cloud space as well. So. What do you think on the landmines?
Naomi Buckwalter: that’s a great question. You know, there’s actually a 2019 survey done by proton technologies where it said 50% of all small and mid sized companies actually are not GDPR compliant.
So they were not, or would not be able to pass a GDPR audit. If something came, remember, it could go up to 20 million Euro in fines 4% revenue. [00:14:00] 20 million Euro. It depends. It doesn’t even matter what size company you are, but up to you for very severe violations, we were looking at a 20 million Euro fine, or 4% of global revenue, whichever is higher.
So think about like, we’ll think about like a company that only makes 25 million in revenue a year. And then all of a sudden you’ve got this 20 million Euro fine for like, not doing things, right.
Ashish Rajan: One Euro is almost two us dollars. So that’s
Naomi Buckwalter: like
Ashish Rajan: 40 million us. Oh, my God,
Naomi Buckwalter: you keep rubbing it in, right. Go ahead.
And she she’s, you know, you’re a better than the dollar,
Ashish Rajan: 40 million. You like every time you think about, do I need a GDPR compliance, $40 million? Like, yes, I think I need it.
Naomi Buckwalter: So by far, the number one thing is people don’t understand that this could affect small and mid-sized companies. So you think as a small mom and pop shop, only 500 people in your company, right?
You are still liable to be compliant with the GDPR, especially if you’re doing things like processing special categories of data, [00:15:00] like criminal data history, like gender, sexual orientation, all these like really specialty. If you are processing this at a large scale, if people are really tracking people, for example, you can get hit with this.
In fact, I think I saw another study. No, it’s not just the big companies are getting hit with these fines. It’s actually like the smaller ones. So a majority of the lawsuits and fines going out right now are for small and mid-sized companies, not the Googles, although they get, they do get hit with a lot of billions of fines, but they can, they can handle it.
but the thing is the number one thing I would say is small and mid-size companies don’t understand the risk when it comes to you needing to comply with the GDPR. So yeah. Number one thing. And then like some kind of traps that you probably don’t know is like, Nobody is in charge of privacy and security at your company for small and midsize.
And that part you don’t have a person in charge. I think that’s. a trap. People think you don’t need to hire someone because, Oh yeah, we do security. We are in the cloud. We must be secure, you know? but, you know, the fact that your company doesn’t have someone in charge of privacy actually makes you in, in non-compliance with the GDPR, [00:16:00] the GDPR, you need someone in charge of privacy, like
Ashish Rajan: around like their data privacy, kind of a title, I guess
Naomi Buckwalter: it doesn’t have to be the person with the title.
It could be like a story. The CTO or CFO, like I can see that person really understanding the privacy piece of it, but I’m someone like lower down in the chain. Not a good idea. In fact, one of the GDPR. regulation pieces is like your data protection officer or DPO needs to report to the highest level of management.
That’s actually one of the articles in there. So I know it’s
Ashish Rajan: a highest level of management.
Naomi Buckwalter: So if you want an automatic promotion, you can say, Hey,
Ashish Rajan: GDPR says I need to be the CEO or. So, sorry guys, I just needed that position because of GDPR 40 million us dollars, you know, like, is that motivation enough for you guys to make me the CEO of all the things I already had?
I was going to say is I’m going to slightly take a turn from a small to [00:17:00] medium size business perspective okay, I’m the smaller to medium size business. I heard this and I’m like, okay. I think I should look at the GDPR thing. Find someone who have privacy or at least let my folks know that. We should think about privacy because we’re storing European citizen, living citizen data on our data centers.
So where do I start
Naomi Buckwalter: Good Luck, right? Yeah. First of all, you’re two years too late. You should be compliant already. So if you’re not you’re in trouble.
Ashish Rajan: So yeah, the first thing you don’t talk about, it will be fine.
Naomi Buckwalter: You’re right. But they’re calling for you, man. You, you just, hopefully you’re sleeping while at night lock your windows and doors.
Ashish Rajan: Actually that’s a good one. Is this like a regular audit that will happen? Like, you know how if you are like an ISO, a SOC2 or something, but you have to do an annual basis. Is there like an external audit that you have to do for, GDPR as well.
Naomi Buckwalter: Not that I know of. It’s only if someone complains like, so you know how you can complain about like, if someone spams you too much.
Yes. There’s laws in America, at least you can [00:18:00] like report them and you’d be like report them to the canned spam act or whatever. So it’s the same way with GDPR. You can actually, someone can, complain about you, your company with the supervisory authority in whatever country it is. And then they could hit you in every single country.
So, you know, European union has like. I dunno like 30, 40 something countries that are actually part of the EU. So like you want to actually, they can hit every single one of those supervisory authorities, and then they in turn, hit you with the law, the lawsuits and the fines and everything else. It literally just, it’s not even an audit at this point, but.
If you want to, you can hire a CPA, AJs hooked up with a couple of good ones. So you want to actually, get someone in there and be like, Hey, are you GDPR compliant? There is, an article on GDPR. I forget which one it is, 27, I think, where you have to hire legal representation in the EU. So that’s actually a good thing to have is a step.
One is probably higher representation in the EU. It looks totally hokey and it is, it’s really just a compliance. You have one meeting with them a year.
and normally they’re based in Ireland because everything’s incorporated in Ireland. what they’ll [00:19:00] do is they’ll walk you through your GDPR compliance checklist.
You know, it’d be like, Hey, do you do this and this and this. And they’ll review some of the public documentation that you have on your website, which you all should have,
Ashish Rajan: which is a privacy policy document.
Naomi Buckwalter: not just that but your sub processors, all the controls that you have, there’s. very specific set of public documents that you need
Ashish Rajan: I don’t know how many people actually know sub processes.
The first time I heard it I was like, what is this thing? But then you see the content of it, like, Oh, for what is a sub processor?
Naomi Buckwalter: So real easy. So if you’re processing. Data and you farm it out to the third party. The third party is now your sub processor of that data, and they need to also comply with the GDPR.
So if you are processing data on behalf of a processor, you are a sub processor.
Ashish Rajan: so an example would be Cambridge Analytica,
like, Oh yeah, those guys, we don’t have to be like, we just use the data to do whatever we want. Sorry. We kind of may have misused it to just manipulate your entire life.
Naomi Buckwalter: Oh my gosh. The second you go outside the door. Scope of what the processor asks [00:20:00] you to do. You are now a processor yourself, so the fines come and all that.
So you do not want to be in the Cambridge Analytica, which I think just took Facebook data and like did the things that they wanted to, and then, yeah. So in that case, they were no longer a sub processor. They are now a processor because they did not act on behalf of the processor.
Ashish Rajan: they would have had that challenge as well, where it’s more of a conversation for, Hey, you have our European data. You probably should be a bit more careful with that. I think to your point about if a sub processor is breaching GDPR, does that mean the. The main folks, also the processor themselves are in breach as well, then.
Naomi Buckwalter: Yeah. Yes.
Ashish Rajan: Oh,
Naomi Buckwalter: you want to be really careful. You’re who you choose for. So processors, there’s a whole thing within good security management, you know, vendor risk management, you know how you want to do that, but there’s a very, very specific activities that you want to do when you are researching your vendors and how they comply with the GDPR.
So yes, you [00:21:00] are. Yeah, you are liable for their, what you want to do is you want to like set up a, like an MSA or a terms of service in between you guys like a contract and be like, Hey, by the way, if you’re not complying with GDPR, can we sign something on paper that says, we’re okay with that? Like, we’re not okay.
You know, whatever legally,
Ashish Rajan: and that’s your fault. Just do not come after us. It’s like, how do we, we may be attached to the hip, but. We are not responsible for you not having GDPR, I guess.
Naomi Buckwalter: Yeah. I know. GDPR just ruined everyone’s life seriously? I don’t know.
Ashish Rajan: And you know, it’s an interesting one because you definitely had that legal representative angle in the EU, but do you need another legal person locally as well?
Who understands it quite? I imagine legal legal terminology is not something that everyone knows. Right? I mean, it’s only like if I say something, it would have five different meaning for a legal person.
Naomi Buckwalter: But
Ashish Rajan: one or two for the average person
Naomi Buckwalter: opine on anything, they feel [00:22:00] like, well, you know, that’s actually one of the GDPR things you only need from article 27 legal representation in the EU.
You don’t need somebody internal, especially like if you’re a small mom and pop shop, you’re not going to be able to hire just a lawyer, legal, you know, like person on your team. Like, so what you want to do is assign somebody. Privacy responsibilities. And that person needs to report to the highest level of management.
Like I said, they do not need to be a lawyer. They do not have to have a JD and they do not need to have passed the bar or whatever thing it is in different countries, but in the U S you do not need
Ashish Rajan: that’s good to know. Cause I’m like when people will listen to this, like a lot of them might just think, Oh, do I need to have a legal team here?
Legally EU business? Cause I can’t imagine lawyers being cheap as well.
Naomi Buckwalter: Well, my lawyer is actually not bad. Like he charges 500 Euro for the whole year, so, or I think he was great. Yeah. So I feel like that’s pretty good.
actually not that. But then the second you need to start using the person. Like, I’m sure he’ll be like, well, guess what? Now I’m 10,000 Euro an [00:23:00] hour.
Ashish Rajan: that’s a good point. Yeah. So there’s a difference between having someone on retainer versus someone actively like on of payrolls with you guys.
if I’m trying to implement this in Azure. What’s step one for me,
the first thing I do is appoint someone for, handling data privacy. And what am I doing next? After that?
Naomi Buckwalter: you appoint the person. Now that person has to go out and see what data you actually have. So step two, after being assigned to this. Is this a job of amazing data protection officer, you actually want to go out and do an inventory.
come in day one and be like, what, what kind of data do I actually have? What kind of assets do I have? It’s the same thing for DPO. They’re going to go in and be like, Oh yeah, I need to know exactly where my data is. And that’s where in the cloud. It gets really, really hard, especially if you’re multi-cloud right.
you’ve got data everywhere, depending on what country it’s in. You’ve got different privacy laws. and you have to do different things on how to protect it. contractually. You know, legally, so you need to know where all that data is and that’s step two. It’s like really like, all right, count all the things that I have asset-wise and now the data, and then categorize that data too.
It’s like, what is [00:24:00] personal data? What is special categories of data? What is not personal data stuff that I don’t really care about as much. And you can’t protect what you don’t know that you actually have. So, yeah. Number two, step number two. and then Azure actually has a really nice. Security center and, a way to actually see how well you’re complying with the GDPR in terms of like protecting your data encryption, like very basic security, integrity, and confidentiality,
Azure has a really good way of just doing a quick audit
Ashish Rajan: you don’t feel like it has a service, which kind of goes around and says, Says that where GDPR or how GDPR as well.
Naomi Buckwalter: Yeah. Like how how would be like, Hey, it’d be really good.
If he put encryption all this data at rest, you know, like it’s very basic stuff as a security professional, you want to at least have all your ducks in a row first and be like, All right. So GDPR gives you a principle of this. Do I satisfy that principle? And then the DPO, the data protection officer is going to go in and look a little further and be like, am I, let me just make sure that it’s doing the right thing, but whether GDPR doesn’t do it, doesn’t tell you what level of encryption you need to have it.
Doesn’t tell you like what algorithms to [00:25:00] use when you’re hashing. Like, it doesn’t do that because technology always changes. So what’s the point, right? So the GDPR is a test of time. Yeah.
Ashish Rajan: That brings up an interesting point about the data protection officer.
there’s another component to the GDPR. it’s really relevant for a European citizen but a lot of other I think CCPA now has that as well,
if I’m a European citizen and I know that a company is storing my data, I can call them up or I can contact them and say, delete my data specifically, just my data, right. And, that’s is that part of the GDPR compliance thing? Yeah,
Naomi Buckwalter: the data subjects act or data, subject rights, there’s different ones, like right to deletion, right.
To being forgotten, basically a right to correction where you’d be like, Hey, that’s not my address. You need to fix it. And stuff like that. you know, right. To remove your consent and be like, you can no longer use my data for certain things. You can say like, Opt out for stuff.
Ashish Rajan: CCPA is like another version of this as well.
I think the CCPA is trying to do like this kind of thing, but I was going to say as one of the things that our [00:26:00] data protection officer may also have to see as a going deeper would be to go, can I delete Ashish’s data if he’s a European citizen? Like, you know, because it’s so complicated that world.
Naomi Buckwalter: Yeah. Anyone who lives in the EU, or if, you know, you pass through the EU and at some point someone collected data from you. You can go back to that company and say, Hey, I no longer give you my consent to use this data. And they must delete it within 30 business days or otherwise.
Ashish Rajan: Yeah. And then, everyone in the company, panics how do I delet just that data I’m using it’s everywhere.
I’m like, well, good luck
Naomi Buckwalter: Data inventory. You need to know where everything is. Exactly. And for cloud is so hard, like imagine now that not just for IAS. Now for all the SAAS services you use. Right? So if you’re sending stuff out to snowflake or whatever, you know, you got your data warehouse set up and its got, your personal data of your EU customers.
Now you have to know where that data is and how to get rid of it. So, yeah, it’s, it’s a huge pain in the butt for sure. cloud does not [00:27:00] automate a lot of the stuff like you can’t just type in an email address, be like delete
Ashish Rajan: email address. Like obviously it was a feature like that.
Naomi Buckwalter: Yeah. So, I mean, there’s some things you can put in place, like there’s, there’s legalees around and be like, well, actually I still need to use this data. There’s some, there’s, a thing called like business, purpose, you know, there’s a reason that you need to keep this data.
Even if somebody asks you to delete it, you can be like, well, I need to keep a certain aspect of it. There’s ways to get around it. But I don’t suggest that, like, if you want to really follow the spirit of the GDPR. You need to delete when someone asks you to delete, you need to modify it and correct it.
Ashish Rajan: from a small to medium sized business, listening to this
first step appoint a data protection officer.
Second step, get the asset inventory or data entry with the data is
third. One is find out if you can actually delete an individual record of a person, I guess,
Naomi Buckwalter: I mean your step three, I guess, is just to kind of make a list of all the compliance activities that you do need to have. And if you guys follow cyber A, sign up because I’ve actually created a course in cyber for this, but there’s 13 [00:28:00] compliance activities.
Some of them you already do as an information security professional. So you can just. Chop those off and be like, I’m done with that. And then the rest of them, the rest of the 13, you want to just prioritize and you want to like ruthlessly prioritize them. So you’re not like do the biggest one first. You want to do like those really easy ones, like hiring a lawyer from the EU, like that’s real easy.
Boom. and then the rest of them, you kind of just want to. Prioritize based off how, how many resources you have, how well you’ve already done certain things. Like how, if you’ve already gotten halfway to one of the compliance activities, can you go the rest of the way, you know, and always, always, always make sure you can capture evidence and make yourself have that accountability.
Principle. Accountability is huge under GDPR. You want to have your evidence saved away in your place of, storage and then making sure you prove that you actually follow that compliance activity or principal.
Ashish Rajan: another question on this is, and, okay, so I’ve done all this and I feel I’m GDPR compliant it’s but it is still a self-assessment.
So I just have to rely on my lawyer. Who’s [00:29:00] my retainer to confirm that I’ve covered everything. he or she is not going to be judging me on it. I’ve done step one, two, three, four. Great. I feel confident I can delete Ashish, the European living, citizen data. And, it’s funny. I have to say that living citizen as well. It does make a difference.
It’s funny enough. And, after I’ve done that now. I feel like, okay. I’ve got a lawyer on retainer as well. So he, or she can help me validate my self-assessment is actually covering everything without judging me for it. And without notifying someone else that, Hey, they may be in breach in contract for two years.
Naomi Buckwalter: Yeah. And then you want to have your public documentation up on your right? Yeah. That’s another big step too. Like. Really easy proof that, you know, you have your standard contractual clauses ready to go. If someone asks for them, your, data protection and assessments, your DPA, you’re going to do a DPIA of all the different assets you have to.
That’s a whole Another thing. Check out cyber. I, when it comes out,
Ashish Rajan: yeah, I was going to say like, you’re throwing all these terms. Naomi Sorry, of course now I’m like, [00:30:00] what are these
I just realized for the podcast audience who might be listening to this, they should definitely jump on to the YouTube channel and check out this amazing outfit contribution that we are doing to make sure GDPR sounds as fun as it can be, I guess, as well.
I was going to say now since. You know, with a lot of the conversation that we’ve had so far has been more for small to medium sized businesses. And I guess, this is probably not that big a problem at an enterprise level where there’s, I mean, there’s a legal team and there’s a, is there something that you’ve noticed, which is a challenge at a larger scale is maybe a disconnect between legal and data protection officer or whatever.
Is there like a disconnect that comes in. Yeah.
Naomi Buckwalter: I mean, considering all the fines that you’re seeing from the Amazons and the Googles, like Google just got hit by a big GDPR. Fine. Right? There is absolutely something going on on those bigger companies where it’s just a business decision to take on that risk.
So some companies just won’t comply with the [00:31:00] GDPR because they’re like, we’d rather just pay the fine so less. Yes. They’d be like this. So this is absolutely one thing it’s like, this. Okay. If we get hit by a fine, we’ll just pay it, whatever.
Ashish Rajan: it’s hard to say if it’s misusing data or if it just like data left unencrypted
Naomi Buckwalter: the way they’re using our data and like data brokers and stuff, they are making so much more money than what their GDPR fine is that it would just be like a drop in the bucket.
And they, they have made the decision not to comply with the GDPR, but, I’m sure they put on a good show. They I’m sure they. They have legal teams that tie up the courts, you’d be like, Oh, you think we don’t comply? Well, here’s a counter suit or whatever, you know, like whatever those companies are doing, but yeah, you just Google like Google, a large company, GDPR, and you’re going to see lots of companies just decide not to comply with the GDPR.
It’s probably not going to be such a great. idea for a smaller company. Like you, you probably don’t want to do that. You want to comply.
Ashish Rajan: maybe we should have a topic about [00:32:00] this. Like what are these big, giant data process processes really doing with our data?
I feel like it would be a documentary, BTW if anyone hasn’t watched the social dilemma, they should probably watch social dilemma, not associated with this. But have you ever used, like if you’ve watched the social dilemma.
Naomi Buckwalter: So true. They’re not selling us well, we are the product, first of all, since it’s free, but, all the data they’re collecting about us, you would be astounded how much money they make, how much money goes back and forth between the data that you put out there.
so hopefully one day, I mean, that’s when the GDPR is kind of trying to do, it’s like let’s protect all the , private data of people. but really it doesn’t stop these companies from making assumptions about you. I think about stuff where like you’re trying to apply for a mortgage, right? This is where GDPR.
Would be a great idea to have, honestly, this is like, GDPR is actually a good idea, but like say you’re applying for a mortgage and then the mortgage company is taking a look at your data. That’s out there and be like, well, I have all this data and they’re crunching all your data. And all of a sudden they’re making a decision.
For you based off [00:33:00] of the data they’ve collected and then no, you’re not allowed to have a mortgage anymore. No more loan for you. No money for you. Well, that affects the person, like actually trying to get this mortgage. It would be like, you just made a decision using my data that you know, nothing about me.
Like, I can explain a way, the reason why I didn’t pay that credit company or whatever it is like you. Yeah. So the GDPR has a special provision for that and be like, you can’t just make decisions based off of the data that you have that will affect somebody’s life. Trying to get a mortgage or trying to get a loan.
And it’s that, it’s that kind of stuff where the privacy laws are trying to get better and be like, let’s protect. Let’s like make common sense laws for these people. And so they can live their lives. And instead of having these huge companies come in and take all the data and make all these decisions for you that affect your life.
Like that’s what the law is trying to do. Right. Right now it’s very imbalanced. You’ve see these big companies coming in and just wiping everyone out and be like, Hey, we’re just going to collect all the data on you. And no one’s going to stop us. And Hey, we’ll pay 4% of our global revenue. No problem. It [00:34:00] doesn’t stop them.
I chewed into that. that’s a really good podcast. Talk to my friend, James . He actually has a great podcast, like a goodbye privacy. He actually does talk about this a lot
Ashish Rajan: there’s this question here from they on what about a startup? I have no money to be GDPR compliant. I can’t serve Europe. Is that what that means for?
Naomi Buckwalter: Yeah. And you don’t have any personal data. If EU citizen, you don’t have to worry about it. Like it’s this really is just for companies that process.
Personal data of EU residents, living residents.
Ashish Rajan: So, I think, the short answer to that is as long as you can make sure that you don’t have any European citizen data that you don’t have to worry about GDPR compliance living European citizen data
Naomi Buckwalter: literally. Collecting people, you know, that personal data of EU people, anyone who’s passed through the EU is actually technically protected.
So you just want to be really careful that people that you do collect
Ashish Rajan: I’m going to throw a spanner in the works. Like what part of European citizen data is technically [00:35:00] sensitive. So if you have my first name and last name, but that’s all VS first name, last name, address, mobile phone.
is there like a challenge like that as well?
Naomi Buckwalter: Yeah. Yeah. Well, like I said, personal data is really anything that identifies a person. So it’s your first name, your last name, and then any combination of that data that can identify somebody. So if I can take your first name, your last name, you know, your home town right now, and I can reasonably identify you then.
Yeah. That is personal data that’s set of data.
Ashish Rajan: if I’m just getting collecting, I’m like a data processing company, but I don’t. All I can process is first name and last names. Nothing else.
Naomi Buckwalter: Okay.
Ashish Rajan: That’s what I said. I’m going to throw a spanner in the works.
Naomi Buckwalter: Well, Hm. yeah, like if you are a name collector, and you’re just trying to like, get statistical opinions, I mean, first name and last name is still considered personal data under the GDPR.
So you need to be compliant with the GDPR. And again, all it really takes is like, you know, encrypting the data a certain way. Please making sure you have your [00:36:00] contracts in line. Make sure you have evidence for the things that you’re doing to protect the data. And it really doesn’t cost a lot of money. So you shouldn’t be paying $50,000 for, like a, a consultant to come in to take a look at your GDPR.
You can do this yourself. Like literally anyone. I mean, look at me like I’m not a lawyer, I’m not anyone. you just, basically, it makes sense. After a while you start reading it and there’s so many great resources online to you.
Like my course, Hey, like what’s up, you need to go to the cloud provider and they have documentation on how to stay compliant, you know, different things you do.
And those are all free services it’s built into your, your tier most likely. but then you also have like random websites that help you. Plenty of great blogs. When I was creating my site, my course for cyber, I referenced these sites all the time. nymity has a really good one. N Y M I T Y. They’ve got a great framework for GDPR compliance.
You know, I basically copied a lot of what they had , Asterix. I didn’t actually write a lot of this stuff myself. and then you’ve got things like [00:37:00] gdpr-edu.info. They’re really great. They just break everything down. They give examples. They’re like, Hey, what if I do this?
What if I’m with this person? And what if I’m only collecting this? And they very, very easily mapped that back to the actual, like language within the regulation. Then you just have to read it so anyone can do this guys. Trust me.
Ashish Rajan: Right. Anyone can be okay. You know who to reach out to. And when you, A question that claim, that doesn’t sound that simple.
Naomi Buckwalter: So if we get around the fact that it’s boring, it’s super boring. When I like
Ashish Rajan: glasses of wine or beer or something, I’ve got another question from Vineet, it’s interesting if he European citizen users accepts citizens of another country. So GDPR applies to their data.
Naomi Buckwalter: If EU citizens accepted sins of another, I’m not too sure what that means.
Ashish Rajan: Oh, so maybe it’s like a European company accepting data of a non EU citizen.
Naomi Buckwalter: Oh, I see. Oh no, no. It’s just re applies to you personal data. So if you are a company that needs to collect personal data like [00:38:00] American citizens, I mean, you still want to have your basic security protections. That’s kind of the point of this, but you don’t have to throw all those other things like the subject, subject to requests.
You don’t have to really. It’s the only thing with that because, GDPR does not apply to American citizens. And that’s part of the problem, I think. yeah, the U S government is actually trying to pass a house bill right now. I forget the actual name of it, but it doesn’t have a fancy term. It’s just like, you know, federal privacy for,
Ashish Rajan: to, hopefully that answers your question Vineet.
there seems to be a lot of work going on, like, especially I think I believe CCPA is trying to cover this as well. Where as a citizen, a Californian citizen, you can kind of go. Hey, I mean, cause we did an episode on it and I was actually, I was curious about the whole thing as well.
And I realized, Oh, as a California citizen, under the CCPA, you can ask someone, holding onto your data to go, nah, you can’t, you need to get rid of that data, which is my data, blah, blah, blah. Or you can get sued or whatever. So I’m like, Oh, and I was told that a lot of other folks are looking at other. compliance frameworks are looking at this.
[00:39:00] What does it mean for their state’s citizens as well as that’ll be really interesting what court comes out of it. So people should vote and listen to what’s happening in the bill
Naomi Buckwalter: representatives. I mean, yeah, that’s the whole point of the federal bill, because you’ll see other States right now. Like Maryland’s coming out with.
One Nevada has one New York has one. California actually has one or obviously has one, but all these little States are coming out with their own privacy laws. And it’s like so hard to keep track of. So the us government’s like, Hey, let’s just create one giant federal bill and you know how things just take very long time to go through it.
So yeah, they just wait five more years and then maybe we’ll have one, but right now it’s looking like this. States are just jumping on top of GDPR. Like CCPA is a little bit of a copy of GDPR. it’s not like one-to-one mapping, but yeah. There’s a lot of principles that it follows.
Ashish Rajan: Yeah. I mean, there’s a, it’s a lot more to CCPA.
One of the aspects that they called out was. they’ve tried to emulate some parts of GDPR by allowing California and citizens to go, Hey, I can delete my data, but what does that really mean? And [00:40:00] how many people have been collecting data for so long? So it’d be really interesting how the federal Bill, but to your point, it may take some time
Naomi Buckwalter: and there’s going to be a lot of new jobs because of the, you know, a lot of privacy jobs.
but hopefully we automate a lot of it too. Like, there’s a really big opening in our industry for security. That actually would just be like, Hey, can I, can you help me comply with the GDPR? I’m only a hundred person company. Can you help me comply with the GDPR automated way? A really automated way?
Is there like a plugin I can just. Do make sure it just does a quick audit falls, all the laws. It’s kind of like your TurboTax at the end of the year and be like, do you do this and this and this and this. And then like copies all the evidence that you have into like a pocket or whatever. And then it’d be like, you know, like, like that would be really nice to have a, if AJ still listening.
That’s an idea.
Ashish Rajan: I was going to say, I think Aja is SOC type two and then this. could be the future, but, so that’s a really interesting point. So GDPR can be automated. You reckon like a lot of it can be automated
Naomi Buckwalter: evidence, I believe so. Yeah, because here’s really just like [00:41:00] your policy documents and then like how well you’re actually following the policies.
So yeah, there’s, there’s ways of capturing evidence that you have complied with the GDPR. I mean, that’s really what the audit would be doing similar to SOC2.
Ashish Rajan: That is awesome. So that also means you can scale GDPR. I think so.
Naomi Buckwalter: Yeah, but there is no company right now that actually does it. So if anyone’s listening, you’re looking for a good idea for a company or for a business.
there’s definitely companies who would pay for this. Like I would definitely pay for this as the head of information, security and privacy for my company. I would definitely be like, yeah, actually come on in and collect all the evidence for me. And then just give me a stamp of approval. Boom.
Ashish Rajan: I wanted to say thank you so much for taking the time out. for people who want to reach out to you, obviously we’ve mentioned your LinkedIn already. but so is that the good, is that the best place to reach out to you for not to sell you, but to ask for cybersecurity advice,
Naomi Buckwalter: you need help cybersecurity.
If you need someone to just serve on your resume off of again, I set aside a few hours a week to do that. So go ahead and just. Slack me, go ahead and, you know, send me a [00:42:00] LinkedIn message and I usually just send back like a calendar that you can pick and choose from. So it works that way. Yeah,
Ashish Rajan: no, that’s good.
Cool. Thanks so much. And it’s pretty awesome to know that, I mean, you’re, you’re helping a lot more people as well. Just not just, companies and corporations. You’re actually helping people get into the space as well. So just pretty awesome. Thank you again. . Thank you so much for the Halloween team as well.
I appreciate it. Happy Halloween
Naomi Buckwalter: to everyone else. Thanks everyone for listening.