Blowing the Whistle on GDPR Profiteering

12th Mar 2018

Until quite recently, we at Ensign have taken the position to remain relatively quiet on the topic of GDPR. The main reason for this being that, collectively, we feel it is wrong to over-speculate; particularly on a subject that is equally broad as it is complex. 

However, it seems that the GDPR conversation has reached ‘fever pitch’, and the level of misinformation and tactical manoeuvring has gotten to a stage where we feel a little sanity must be restored. Our concern is that, as GDPR D-Day looms ever-larger, the panic and hysteria will only get worse.

We like to think of Ensign Communications as an ethical company and feel that honesty and humility should be the core values of every business. Any other approach should be considered to be short-term; as many have found out the hard way, reputations are fragile things.

A disclaimer: before we begin, it is worth prefacing this article with a statement:

Ensign Communications does not claim to be the authority on GDPR (as will become clear throughout the duration of this article). We do not view the many businesses and organisations attempting to clarify the changes to GDPR for the greater good to be deceptive, but we are certainly suggesting that there are more than just a few ‘bad apples’.

Why GDPR is more Good than Bad

Unless you have been hiding under the proverbial rock for the past year or so, you will be more than familiar with the proposed changes to the General Data Protection Regulations (GDPR) and what the implications are for businesses. However, a daily scan of the media discourse surrounding the changes reveals that, for the most part, the main drivers behind the whole deal have been either watered down or lost entirely. 

At its core, we feel that the regulation is a good thing, and here’s why:

Unification – once in place, GDPR regulations will be what the EU refers to as ‘harmonised’, meaning that we, as businesses and business owners, will only have to comply with one law (even post Brexit). Not such a bad thing, is it? 

Control – secondly, the directive aims to give us all, as consumers, some control over our data after many years of, well, quite the opposite. Handing Joe or Joanna Public control of their data and finally getting a grip on those pesky unsolicited emails, texts, phone calls and direct mailers cannot be a bad thing! 

The GDPR ‘Chancers’

A large part of remaining relevant to our customers is having a current and insightful understanding of the markets in which we operate, and achieving this involves regular research into the activities of our competitors – it’s just good practice

Those claiming to have the answers to GDPR have been around for a time, and we have generally ignored them as we are sure you have too. But, more recently, we have witnessed some unsavoury practices creeping into the business networking world – our world - and have been somewhat dispirited by the actions of – for want a better word – our peers.  

Put very simply, what we have seen are multiple instances of network solutions providers claiming that upgrading, or even totally refreshing, their wireless networks is necessary in order to meet GDPR compliance - or, in other words, profiteering. Scandalous! 

We have even stumbled across so called ‘data tracking solutions’, which claim to be the one-stop-shop solution to tracking and analysing your data. Also scandalous! Of course, we are not saying that this software doesn’t do what it says, but the truth is that businesses really don’t need to be adding software to their systems in order to comply with GDPR regulations or indeed to avoid a nasty fine. 

Here’s a basic outline of what you ‘need’ to know:

•    Whose data you are storing 
•    How often you are processing it
•    If you are processing it lawfully (double opted in)
•    Is your system able to ‘forget’ a person’s data when required

If you’d like to dig a little deeper into the guidelines to GDPR compliance, there are 12 guiding principles of GDPR on the Information Commissioner’s Office (ICO) website. This really is the best place for businesses to start their ‘journey’ to compliance. 

The MAC Address Deception

One of our main motivations for writing this blog is the frequency of calls that we have experienced which, if we are being completely honest, have left us feeling a little frustrated to say the least. 

Through these calls it has become apparent that a number of our competitors in the guest WiFi sector are using GDPR to either justify a price hike or to force their customers into a full hardware refresh. Quite frankly, this is despicable and, although we won’t, we feel compelled to name and shame!

For us, it would be quite a significant leap to go from facilitating the collection of MAC addresses (which is an essential bi-product of allowing guests onto a private network) to suggesting that we would need to refresh your hardware at some considerable expense. 

It can certainly be argued that a MAC address is Personally Identifiable Information (PII); in fact you can find it listed as such, here. However, the gap between using MAC addresses to allow guest network access and GDPR non-compliance is, well, huge. All you really need to do is to seek that individual’s approval for using their information at the point of login, which can this is easily done through a number of solutions such as Aruba Central or Aruba ClearPass. 

A Distinct Lack of Definition

Sadly, GDPR Scaremongering is rife, but let’s be totally upfront here...

We have held meetings, attended seminars, talked with GDPR consultants and formed our own internal committee to make sense of the changes, and one thing is for sure; there is an overwhelming lack of definition with regards to what exactly is expected of businesses in order to comply. 

This, when combined with the worst case scenarios for non-compliance, and the threat of business-crippling fines, creates a large window of opportunity for our ‘GDPR Chancers’. 

Quite frankly, given that we all have access to exactly the same information, there is absolutely nothing to suggest that any company or individual could claim to a bona-fide expert on GDPR.


Be very wary of anyone offering you guarantees on GDPR

Again, we should assert our position that this does not mean GDPR consultants or other kinds of service providers do not offer any value. Bringing in a third party would certainly help in achieving an unbiased view of your network and data processing procedures. We see this first hand when we conduct network health-checks, which have helped our customers to better understand the current state of their networks and to move towards GDPR compliance in a positive manner.   

However, receiving a de facto ‘YES’ or ‘NO’ to GDPR compliance is currently improbable - you can get assurances, but that is really it. Anyone claiming to offer more than this should be treated with a healthy degree of suspicion.


What Next?

For advice on designing or upgrading your business WiFi network and associated systems, to the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security, please contact Ensign Communications for a chat with our technical team.