If a chief security officer was doing his or her job correctly, the business (almost) never needed to talk to them. But EU General Data Protection Regulation (EU GDPR) promises to change that.
Under the old regime, breach notifications were only mandatory for government agencies or telecoms providers. So, if CSOs struggled to reach an audience before, now they will have the board attentively listening. Post-2018, organisations that suffer a data breach will need to notify the relevant data protection authority, and the fines for non-compliance are €20 million or up to 4 per cent of global turnover. (And if you’re reading this as a CSO of a company from outside of the EU that handles data pertaining to EU subjects, the fines apply to global turnover, not just turnover in Europe.)
Until May 25 2018, CSOs and their organisations still remain subject to their relevant data protection legislation, whether that is the Data Protection Acts, La Loi informatique et libertés or the Datenschutzgesetz. But as we have previously outlined on this blog, now is the time to get educated about the main changes from country-specific legislation to EU-wide GDPR, and to start thinking from the perspective of the entire European region.
CSOs will need to update themselves about data breach notification, transfer of data – particularly in light of the EU-US Privacy Shield replacing Safe Harbor – and then look at the rights related to profiling and automated decision making on whether or not you can use the data or how you can use the data.
Privacy impact assessments will also feature more heavily in the CSO’s role than ever before. Current legislation calls for risk assessment but EU GDPR contains more specific guidance as to when you need to do a privacy impact assessment and the demands in the new law are more stringent. The current Data Protection Acts in Ireland refers to “appropriate security measures” whereas under GDPR, a privacy impact assessment is required if you’re dealing with data that could be at risk because of what you are doing with it. Regardless of the size of your organisation, if you will be handling or processing protected health information, or credit card data, you will need to carry out a privacy impact assessment. Saying you have a firewall won’t cut it any more.
Article 37 of GDPR, for example, refers to the designation of data protection officers within organisations. The Institute of Privacy Professionals has forecast this element of the new rules will have an enormous impact, with 28,000 data protection officers required in Europe alone.
Notwithstanding all of the technical challenges, policies and procedures, and user training requirements, cost and time that GDPR is imposing, I believe this presents a great opportunity for CSOs to create a strategy over next two to three years that will embed a solid foundation for good security, continuous compliance and reduced attacks on your organisations.
This is a good way to try and define what the pillars of security that a CSO manages, in addition to data protection. For example, it encompasses crisis management, people security, physical security, infrastructure security, traditional networks, mobile networks, satellite or branch offices and third parties who end up possessing some of your organisation’s data.
We now have a great opportunity to incite companies to look at security from all angles between now and May 2018. By nature, I’m a glass half-full type of guy. From a cybersecurity perspective, GDPR is definitely is a half-full glass and it gives CSOs the ideal starting point to fill the remainder.