How GDPR Can Be a Good Thing for a CSO’s Career: Part 1

GDPR is on everyone’s minds and in everyone’s inboxes right now. But what does it have to do with today’s CSO and his or her career track?

GDPR provides a rare opportunity for a CSO to place his or her fingerprints on the company’s data privacy approach and practices. CSOs are in a unique position to both help guide their companies through a difficult process and benefit from career development and exposure. GDPR is a compliance forcing function at a scale that we haven’t seen in nearly 20 years (i.e. SOX). If a CSO is able to bring together the many pieces, he or she will lead their company and ultimately their career to success.

As of May 25, 2018, GDPR became enforceable. The challenge for CSOs is to consider how prepared they are to drive this initiative and lead their companies to success. Most security and compliance regulations require a cultural change within the ranks to take hold, but many think that GDPR is the big one that will govern us all or at the very least will set the tone.  Though the EU took the lead on data privacy, this law affects all companies.

In this two part series, I’ll share a few suggestions for CSOs who want to use GDPR’s arrival as an opportunity to further their company’s success as well as their own.

Know your role as it relates to GDPR

As the CSO, it will be your responsibility to rally around the cause of data privacy and use this opportunity to bring everyone in your company (and its many third party relationships) along for the journey. It sounds difficult, but the good news is that you already know where and how the data flows throughout the company and how the specific people functions intertwine with that data.

In many ways, you (and your teams) are the true data source providers and keepers. Whether ceremoniously or officially, you are the Data Protection Officer. The knowledge from being in this position provides a unique opportunity for you. You are one of the executive leaders within your company that can appropriately drive collaboration and guidance and help mentor those directly affected by GDPR. Do not let this opportunity pass you by.

Your first step is to identify who, in the company, fits into the two main roles under GDPR; Data Controllers called “Controllers” and Data Processors called “Processors”. If your company is processing personal data in any way then both roles exist within your company. Your knowledge of the subject can be used to reach out, bring people together, and build a strong training program that will bring your company into compliance.

Weaving together the many parts of your company to ensure that data privacy is handled correctly is no easy task. You may be hamstrung by the complexity of your own proprietary technology. You may have hundreds of groups all contributing, in different data sets, to the data collective. Bringing these disparate teams together may be challenging as each group may come to the table with a different data collection and dispersal approach.

Every entity that works with data is under the same obligations for data privacy. Though the initial projections are that the bark of GDPR will be smaller than the bite, the threat of 4% of top-line revenue will hopefully motivate the correct behavior.

In part two, I’ll be discussing knowing where your security program relates to GDPR and how GDPR can help position you to help drive Sales enablement.

**I am not a CSO practitioner nor a GDPR expert. I am however a zealot and advocate for the CSO’s career development and the promotion of their increasing impact within today’s organizations.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework