In part one, I discussed how GDPR could positively impact both a CSO’s company and his or her career development.
In part two, I’ll offer a few more suggestions on how CSOs can use GDPR to boost their careers while bringing their team members together.
Know where your Security Program relates to GDPR
For those who have struggled with creating buy-in for compliance issues, you now have a law that provides an excellent teaching moment, but you need an action plan. You can utilize this opportunity to establish, enhance, and/or lock down your security program. With the exception of a few company vertical types, such as those deep in the financial services space, most CSOs have never had anything like GDPR to use as a platform for securing their security program.
Now is the time! You have everyone’s attention and they should be listening. Laws that have penalties large enough to threaten revenue will affect annual margins and in turn affect personal bonuses - which tends to get people’s attention. You will a streamlined plan and one that is ready to execute especially when dealing with compliance-focused projects. If you are an incoming CSO, starting with a new company, you should have the framework of your GDPR compliance training ready to go on Day 1.
Your program will only be successful if everyone knows what is going on, your narrative is clear, and scenarios are tested and practiced. Work closely with your non-technical counterparts and compliance teams to lay out and test your plans. Continuously perform application assessments and identify your gaps. Be ready to share your data mapping and inventory practices. Create real-time scenarios that can answer the questions and prepare everyone for responding to inquiries. Consistently practice and enhance your data breach and incident response plans. Be prepared and ready to execute on your program. Many of these procedures should be commonplace in your world, but perhaps not to the average user of the data.
Know what you have under the hood
Simply relying on your tech stack may not go well. Your privacy strategy and technology may be flawed as it relates to GPDR.
For instance, one of the big GDPR misconceptions is that some companies feel that they have a loophole to avoiding regulations because they can anonymize the data. No such luck. This loophole was considered when the terms were crafted and is covered in the “identifier” portion. Even if you have data sets that the regulators cannot see, the data can still lead to someone’s identity. Bits of information can be pieced together which could identify a person and voila! You have yourself an infraction. Of course, this growing area of anonymization and encryption technology using AI/ML is one of the areas where the regulators will likely focus and test companies.
Another area to consider is how you deliver your service. If delivered purely in the Cloud, on-prem, or a hybrid, you will be under the scope. In GDPR, there is not a huge difference. If you are billing customers, collecting data and creating telemetry then you are under the obligations. It may even start at the code level if you are a SaaS company. That is why it is critical to work closely with your Engineering and Product teams to create better visibility and enhance their awareness of policies and best practices. (see Privacy by Design as a reference).
Don’t forget about your third-party vendor relationships and related obligations. This is the likely chink in the armor for most companies and an area that the GDPR regulators will surely focus on. You may be in a situation where you need to drive revisions or even replacements for your User Agreements, 3rd Party Data requirements.
Know how GDPR can position you to help drive Sales enablement
As highlighted in previous blogs, the sales enablement function of the modern CSO is becoming one of the larger scoped components and a key metric of success. This is also another area where GDPR provides a unique opportunity to get closer to the business side of things.
You will need to pay close attention to the following things:
- How your marketing and sales departments are using data
- How your User Agreements are written
- What policies are listed in your customer contracts
- What do your 3rd Party Agreement look like
In any scenario where data is collected, mapped, stored, and otherwise used, there is an opportunity to teach the user community the best practices moving forward. Use your skill set and knowledge of the collective to become an advocate of privacy rights. If you see intentional or unintentional infractions for how personal data is used, accessed, and stored – speak up!
There is no certification for GDPR; it is law. Some of the new language discussing the basic rights such as ‘the right to be forgotten” is broad and can be open to interpretation. Learn the law and how to apply it and you can be the company’s great mind in this space.