The Problem With GDPR Is …

The problem with GDPR is … and it is the same problem that audit/compliance regimes have … it sets out a scope but cares little about the detail. The concept of pseudo-anonymity, for example, just doesn’t go far enough in most cases. But the main weakness is that it hasn’t stopped the industry from their current sleepwalking methods. We still hear of data breaches which did not use encryption or failed to properly hash passwords.

Little has thus changed in the way that companies do things, and the concept of systems properly integrating encryption at every stage is something that still has a long way to go. And so what should the EU do next? Well, rather than laying out the scope, they should go straight to the heart of the problem areas, and at the top of the list must be the usage of hashed password, and in the passing of plaintext passwords over a network. Why can’t the EU just define that the storage of a password should relate to the storage of a completely random nonce value?

Unfortunately if this drive was left of major companies, such as Microsoft and Google, we would be waiting for a long time. In the forty years of the Internet, little has actually changed in the ways that we protect documents and send an email.

So here is my Christmas list for the EU, and where companies would comply against different levels: