The GDPR concept of ‘state of the art’ (SotA) continues to cause confusion for many – and I’m afraid that even though SotA is used throughout the GDPR (and the Network and Information Security directive), nowhere is it defined – waiting for definitive guidance is not going to be fruitful.
Some product vendors, and consultancies that help end-users to implement products, try to steer buyers towards considering a simplistic, single measure of state of the art as being what is closest to the leading (or bleeding) edge of technology development —the “latest and greatest.” This approach is unsurprising: product vendors need to fill their revenue pipelines, as do the consulting houses, although most vendors genuinely believe they have some sort of innovative product or advanced technology.
Don’t get hoodwinked into believing that this is the only way to go.
Key Points on State of the Art
- Don’t waste money on unnecessary and possibly risky IT projects. Remember, actually implementing SotA in your organization is NOT mandated — but taking it into account is. Not a lot of people know this: too many assume that implementation is mandatory. It isn’t – but oddly enough the vendors aren’t exactly rushing to point this out.
- You need to assess SotA against cost, risk, and context (specifically the nature, scope, context, and purposes of the business) in determining whether to deploy SOTA technologies or processes.
- Consider the full combination of factors when making SotA decisions. Balance the imperatives of functionality (or technology advancement), market/industry adoption, and future-readiness to create a balanced framework for making SotA choices. Remember that in the real world, trade-offs are inevitable; they just need to be explicit, not hidden or ignored.
- Articulate your organization’s a view of what state of the art means for you. Remember that you must be able to defend this view, possibly in court, so you need to be clear about this.
If you’d like know more about guidance on how to develop your own SotA process, take a look at State of the Art: A Model to Enable Compliance With GDPR.
The IDC team is back at InfoSec once more, to share analysis, insights and forecasts for the European Security market. Register now to come and meet the team for breakfast, discussion and debate on all things Security.
IDC’s Breakfast Briefing on 6th June – “The CISO’s TO-DO LIST”