GDPR

How GDPR Can Be a Good Thing for a CSO’s Career: Part 2

In part one, I discussed how GDPR could positively impact both a CSO’s company and his or her career development.

In part two, I’ll offer a few more suggestions on how CSOs can use GDPR to boost their careers while bringing their team members together.

Know where your Security Program relates to GDPR

For those who have struggled with creating buy-in for compliance issues, you now have a law that provides an excellent teaching moment, but you need an action plan. You can utilize this opportunity to establish, enhance, and/or lock down your security program. With the exception of a few company vertical types, such as those deep in the financial services space, most CSOs have never had anything like GDPR to use as a platform for securing their security program.

Now is the time! You have everyone’s attention and they should be listening. Laws that have penalties large enough to threaten revenue will affect annual margins and in turn affect personal bonuses - which tends to get people’s attention. You will a streamlined plan and one that is ready to execute especially when dealing with compliance-focused projects. If you are an incoming CSO, starting with a new company, you should have the framework of your GDPR compliance training ready to go on Day 1.

Your program will only be successful if everyone knows what is going on, your narrative is clear, and scenarios are tested and practiced. Work closely with your non-technical counterparts and compliance teams to lay out and test your plans. Continuously perform application assessments and identify your gaps. Be ready to share your data mapping and inventory practices. Create real-time scenarios that can answer the questions and prepare everyone for responding to inquiries. Consistently practice and enhance your data breach and incident response plans. Be prepared and ready to execute on your program. Many of these procedures should be commonplace in your world, but perhaps not to the average user of the data.

Know what you have under the hood

Simply relying on your tech stack may not go well. Your privacy strategy and technology may be flawed as it relates to GPDR.

For instance, one of the big GDPR misconceptions is that some companies feel that they have a loophole to avoiding regulations because they can anonymize the data. No such luck. This loophole was considered when the terms were crafted and is covered in the “identifier” portion. Even if you have data sets that the regulators cannot see, the data can still lead to someone’s identity. Bits of information can be pieced together which could identify a person and voila! You have yourself an infraction. Of course, this growing area of anonymization and encryption technology using AI/ML is one of the areas where the regulators will likely focus and test companies.  

Another area to consider is how you deliver your service. If delivered purely in the Cloud, on-prem, or a hybrid, you will be under the scope. In GDPR, there is not a huge difference. If you are billing customers, collecting data and creating telemetry then you are under the obligations. It may even start at the code level if you are a SaaS company. That is why it is critical to work closely with your Engineering and Product teams to create better visibility and enhance their awareness of policies and best practices. (see Privacy by Design as a reference).

Don’t forget about your third-party vendor relationships and related obligations. This is the likely chink in the armor for most companies and an area that the GDPR regulators will surely focus on. You may be in a situation where you need to drive revisions or even replacements for your User Agreements, 3rd Party Data requirements.

Know how GDPR can position you to help drive Sales enablement

As highlighted in previous blogs, the sales enablement function of the modern CSO is becoming one of the larger scoped components and a key metric of success. This is also another area where GDPR provides a unique opportunity to get closer to the business side of things.

You will need to pay close attention to the following things:

  •  How your marketing and sales departments are using data
  •  How your User Agreements are written
  •  What policies are listed in your customer contracts
  •  What do your 3rd Party Agreement look like

In any scenario where data is collected, mapped, stored, and otherwise used, there is an opportunity to teach the user community the best practices moving forward. Use your skill set and knowledge of the collective to become an advocate of privacy rights. If you see intentional or unintentional infractions for how personal data is used, accessed, and stored – speak up!

There is no certification for GDPR; it is law. Some of the new language discussing the basic rights such as ‘the right to be forgotten” is broad and can be open to interpretation. Learn the law and how to apply it and you can be the company’s great mind in this space.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework

How GDPR Can Be a Good Thing for a CSO’s Career: Part 1

GDPR is on everyone’s minds and in everyone’s inboxes right now. But what does it have to do with today’s CSO and his or her career track?

GDPR provides a rare opportunity for a CSO to place his or her fingerprints on the company’s data privacy approach and practices. CSOs are in a unique position to both help guide their companies through a difficult process and benefit from career development and exposure. GDPR is a compliance forcing function at a scale that we haven’t seen in nearly 20 years (i.e. SOX). If a CSO is able to bring together the many pieces, he or she will lead their company and ultimately their career to success.

As of May 25, 2018, GDPR became enforceable. The challenge for CSOs is to consider how prepared they are to drive this initiative and lead their companies to success. Most security and compliance regulations require a cultural change within the ranks to take hold, but many think that GDPR is the big one that will govern us all or at the very least will set the tone.  Though the EU took the lead on data privacy, this law affects all companies.

In this two part series, I’ll share a few suggestions for CSOs who want to use GDPR’s arrival as an opportunity to further their company’s success as well as their own.

Know your role as it relates to GDPR

As the CSO, it will be your responsibility to rally around the cause of data privacy and use this opportunity to bring everyone in your company (and its many third party relationships) along for the journey. It sounds difficult, but the good news is that you already know where and how the data flows throughout the company and how the specific people functions intertwine with that data.

In many ways, you (and your teams) are the true data source providers and keepers. Whether ceremoniously or officially, you are the Data Protection Officer. The knowledge from being in this position provides a unique opportunity for you. You are one of the executive leaders within your company that can appropriately drive collaboration and guidance and help mentor those directly affected by GDPR. Do not let this opportunity pass you by.

Your first step is to identify who, in the company, fits into the two main roles under GDPR; Data Controllers called “Controllers” and Data Processors called “Processors”. If your company is processing personal data in any way then both roles exist within your company. Your knowledge of the subject can be used to reach out, bring people together, and build a strong training program that will bring your company into compliance.

Weaving together the many parts of your company to ensure that data privacy is handled correctly is no easy task. You may be hamstrung by the complexity of your own proprietary technology. You may have hundreds of groups all contributing, in different data sets, to the data collective. Bringing these disparate teams together may be challenging as each group may come to the table with a different data collection and dispersal approach.

Every entity that works with data is under the same obligations for data privacy. Though the initial projections are that the bark of GDPR will be smaller than the bite, the threat of 4% of top-line revenue will hopefully motivate the correct behavior.

In part two, I’ll be discussing knowing where your security program relates to GDPR and how GDPR can help position you to help drive Sales enablement.

**I am not a CSO practitioner nor a GDPR expert. I am however a zealot and advocate for the CSO’s career development and the promotion of their increasing impact within today’s organizations.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework