How I Learned to Stop Worrying About GDPR Compliance & Requirements


There’s about one month left before the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR is among the most pressing privacy issues facing global organizations and it’s easy to see why. The Internet is [mostly] free for one reason – you’re the product and your private data is the currency. Multi-billion dollar businesses have been built on the business model of surveillance capitalism. Changing the way your private data can be used will essentially require a rewiring of the Internet.

That said, there’s hope for all businesses.

“You’ll never make it by the deadline,” the Scary Technology Expert (STE) says. “And it’s going to destroy the way you do business!”

Forget about that. First, don’t do business with people whose sales process is fear. Second, you can achieve compliance by the deadline. And it’s not going to destroy the way you do business – it’s going to change it. There’s a difference. Keep in mind that there may be a lot of work achieving either.

While the GDPR will certainly mean changes in the way you conduct business, it also holds new opportunities for organizations to strengthen the security components of their privacy policies and procedures. Let’s take a look at some of the risks and accompanying opportunities that GDPR will introduce to your business.

“Now Hiring”

One of the requirements for GDPR compliance is the appointment of a Data Protection Officer (DPO), an employee responsible for overseeing and implementing your data protection strategy. But you can log out of your favorite recruiting website now – these people generally don’t exist. In addition to the severe shortage of cybersecurity talent in the market, the DPO is required to have expertise in security, privacy and cybersecurity law. My advice to those looking to hire a DPO: you may have better luck finding a U.S. Senator that understands Facebook.

The good news – small organizations aren’t required to appoint a DPO. In addition, there are organizations who can provide this resource “as a service.” This model is gaining steam in cybersecurity, primarily due to the talent shortage. It can also be far less expensive to outsource this function.

Prove It

Another challenging requirement will be the maintenance of processing activity records. Most businesses are used to self-attesting to their security and privacy processes (or not attesting to them at all). GDPR now requires that these activities be auditable, which means the creation and maintenance of a whole new family of metadata. Organizations will need to prove that what they’ve done with the data they’ve collected actually happened, whether that was transmitting storing, erasing, analyzing, etc.

The current definition of acceptance and proof is arbitrary and it’s not clear what GDPR auditors will be looking for.

There are other challenges. The current definition of acceptance and proof is arbitrary and it’s not clear what GDPR auditors will be looking for. Those are risky waters to be in and finding an efficient system for the recording of processing activities will be an uphill, if not confusing, battle for many organizations. The good news – improvements in auditability will make compliance with other regulations faster, easier and less expensive. This metadata can also be used to continuously improve your cybersecurity program, and in the end, these efficiencies can vastly improve the way your business protects data.


The right to erasure will likely have some organizations quivering in a pool of their own sauce: namely those whose business model relies on cashing in on other people’s data.

Imagine how vastly the internet would change if Facebook started charging $0.49 per month or if Google charged per search in order to make up for lost revenue.

Article 17 of the GDPR states that EU citizens have the right to approach businesses like Facebook, Google and Credit Karma and ask to have their data erased. When user data is erased, the value of companies that rely on selling this data goes way down. Most Internet companies make money through surveillance. Have you heard the expression, “If you’re not paying for the product, you are the product”? Imagine how vastly the internet would change if Facebook started charging $0.49 per month or if Google charged per search in order to make up for lost revenue.

The good news – the less data you have, the easier it becomes to secure it. This security fundamental should help offset some of the financial impacts of losing data that you’ve been monetizing. It will also force businesses to be more creative and explore new, more diversified revenue streams for the long-term. Maintaining multiple streams of income lessens risk, protects cash flow during lean times, and ensures that your business always has money coming in to fuel future programs and advancements.

No Sugarcoating It…

The GDPR is vague in areas. It may cause significant changes for your business. It’s a lot of work.

The good news – it can be done. It’s also going to make your organization stronger as you get better at balancing business needs with consumer privacy. The relationship between you and your customers will change, but probably for the better. You’ll gain a deeper understanding of your company’s data and have the opportunity to create a cybersecurity strategy that thinks beyond May 25, 2018.

Compliance is possible by the deadline. Watch GreyCastle Security’s recent GDPR compliance webinar to learn how to prepare for these data protection requirements.


About The Author: Reg Harnish

Reg Harnish is the CEO of GreyCastle Security, a leading cybersecurity risk assessment, advisory and mitigation firm headquartered in Troy, New York.

As CEO of GreyCastle, Reg is responsible for defining and executing the company’s vision. Under his leadership, the company has experienced six consecutive years of triple-digit growth and countless industry accolades. Today, GreyCastle Security is working with organizations in nearly every state in the U.S.

Reg is a nationally-recognized speaker and has presented at countless industry events. Reg was recently recognized as the Cybersecurity Consultant of the Year in North America by the Cybersecurity Excellence Awards for the second consecutive year. He has been featured in Time, Forbes, CBS Nightly News, The Washington Post, Dark Reading and others.

Reg is a member of the Forbes Technology Council and a fellow of the National Cybersecurity Institute in Washington, DC.