From: Matthew Parker <>
Date: Wed, 18 Apr 2018 09:11:18 -0700
Message-ID: <1e9501d3d72f$e2a0f370$a7e2da50$>

Not really OT. This is a new security paradigm that most of us will have to probably deal with. As companies rush to first implementation of the rules surrounding GPDR, there will be some strange security policies, until us technical folks can work through with the legal folks what can meet the needs of both sides. Right now a lot is driven by legal as any current contracts have to be updates that deal with any of a company’s sub processors of data.  

Most companies that already were dealing with EU data have reasonable policies as to how we protect the data without affecting backup or DR strategy as protection was already baked in. GPDR at least makes the rules uniform across the EU and enhance the removal of data from the EU zone of control.  

If your company had DR or test requirements where data was being copied between the EU and US, then those of course may have to change or security policies around it may have to change as the US is not considered a secure place for EU data, although thru the privacy shield clause companies within the US can be certified as in compliance with GPDR and that data transfer can happen. As always with legal items the programs are in flux.  

I have one client that has disallowed their previous BYOD policies along with no external drives (disabling usb ports) and email programs that disallow sending attachments or certain emails completely outside the organization if they have certain key words in them.

I have other clients who have implemented new firewall policies that yes prevents copying data such as a backup out of the EU.  

I find interesting the policy point you mentioned

“I am not allowed to generate large amounts of network traffic or test security tools “  

Not transferring large amounts of data would allow a company’s current firewall (full packet inspection) to not be overwhelmed.

A lot of companies already have the “No testing of Security Tools” without authorization. Normally targeted at Hacking and Sniffer tools, not base security tools like an audit or enforcement products.  

Matthew Parker

Chief Technologist

Dimensional DBA

Oracle Gold Partner

425-891-7934 (cell)

D&B 047931344


<> View Matthew Parker's profile on LinkedIn


From: <> On Behalf Of Howard Latham Sent: Wednesday, April 18, 2018 4:06 AM

Anyone seen an IT Sysadmin staff based GDPR policy? According to my company's staff policy - which I have not signed. I am not allowed to make copies of databases (ER Backups!) or delete copies - ER replacing Backups also I am not allowed to generate large amounts of network traffic or test security tools. Luckily it doesn't say I should shoot myself if I see a data block whizz past me on the screen!  

BTW I completely accept and understand and support the need for GDPR.    

Howard A. Latham

Received on Wed Apr 18 2018 - 18:11:18 CEST

Original text of this message