Will the GDPR help the CISO?

Written by

The General Data Protection Regulation will be the biggest shake up of data protection measures in almost 20 years, so what does it mean for your average security type? Dan Raywood talked to Quentyn Taylor for his two year predictions.

The statement made on the regulation panel at this year’s Infosecurity Europe was “GDPR affects you if you are alive and on planet earth”.

That panel was chaired by PwC’s Stewart Room, and appearing on that panel was Quentyn Taylor, director of information security at Canon for the EMEA region. I recently caught up with Quentyn to talk about how the GDPR will affect businesses and ask him the big question: are companies going to be ready for this in May 2018 and is it actually going to help?

“I think it largely depends, as businesses are becoming more ready for it but the problem with having a law with a two year sunrise period is that it is very easy to put off and put on and then you realise [the deadline] is in six months,” he said.

Taylor likened it to a university dissertation, as you put off writing it until you realise it is due in a matter of days and have to work on it overnight – he said that is what he worries about, as GDPR is not something that can be done overnight, as rather than a change of law it is a change of mindset and attitude.

“If you break it down into the 12 points that the ICO rather helpfully broke it down into, you have bits in there that are essential and you should start with now – privacy by design, privacy impact assessments - you should start thinking about that as your system could be going live in two years’ time, but you’ve got to do the preparation work now and there is not a lot of people doing critical path analysis to work out if they work backwards from 25th May 2018, and need to know what they need to have done now.”

Taylor said that what you need to have done now is to have a strategy, an idea of what you need to do and an idea of what you need to do that. “Also a lot depends on your geographical scope; which leads on to whether this will help companies – absolutely it will help companies. I think if you are a large multi-national, or a company who is considering binding corporate rules, or is dealing with multiple data regulators, or are a company who is having to wrestle with multiple sets of data laws, or are a company dealing with all kinds of data in all different places, then this will absolutely help you as the concept of ‘one stop shop’ is in there,” he said.

“The concept of picking a lead regulator, and the ability to register once and not with lots of different places, and the ability to have one set of laws and one set of rules will apply. These are really interesting bits and hopefully this will also avoid on the regulatory standpoint, the death of a thousand cuts where you end up with multiple regulators wanting to talk to you about a major incident.”

So it is all positive then, and Quentyn said that it is “something that has been a long time in coming and I am really happy it is finally here”, but it was important to begin taking it seriously, as if you treat it like a project and not as a lifestyle change, then it will be back to hurt you.

The regulation addresses several key areas of modern data protection, including data ownership, data breach notification and it addresses export of personal data outside the EU and after its formal adoption on 27 April 2016, it formally replaces the 1984 legislation and 1995 Data Protection Directive, which the 1998 UK act was based upon.

“The EU could have done a directive relatively easily, as a directive would go through as the changes could have been made locally without changing a huge amount,” Taylor said.

The initial steps were made in early 2012 when Viviane Reding, vice-president of the European Commission in charge of justice, fundamental rights and citizenship, announced the changes. After a lengthy process of approval, it suddenly came back to life in December 2015 and was approved this year.

Taylor said that when it came through, people were a bit shellshocked after the planning had taken place and the event was suddenly upon is. “That’s the thing with GDPR, we spent so long talking about it and agonising over what it might be and thinking about it that within a few short weeks, it was through.”

Moving on to how it will help businesses, Taylor said that he believed it will achieve two levels of help: for some companies it will make some processes easier as it will achieve one centralised process; and it will also help the information security industry “dramatically” as its factors will give the canny information security person a place at the table.

“I’m lucky and do have a place at the table, but I talk to colleagues and they said that they don’t have a place and now by law, the data protection people have to be there at the beginning,” he said. “If you make your privacy impact assessment and wrap them all together, you get a place at the table in the beginning. So this will help the industry dramatically and I say to people to get out there, learn about it as you can be useful and helpful and the sky is not falling in, there is a huge world of opportunity and you have just got to work out how to utilise it.”

In our last issue, we talked to the National Association of Data Protection Officers (NADPO) about the impact and creation of the DPO role in the era of the GDPR, and Taylor said that it is good practise to have someone ins that position as if you want to play in the space of handling large amounts of personal data, you have got to determine where your data is.

So is one of the early problems of the GDPR responsibility, and is the next challenge to make sure someone takes a lead on this, whether they be in IT, security, compliance or even legal? Quentyn said that this is the key point, as step one of becoming ready is to have a strategy and sit down and say “what are we looking to do”.

“It is the old story of someone saying ‘our database vendor is our strategy’, and I said ‘no, a product is not a strategy, a strategy is a strategy and the product supports the strategy’. It is the same thing, compliance is the end goal but it is a big word so what are we going to change and be different to what the current processes are going to be and what do with cross-border transfer, is it going to change the areas of business that you are going into and what areas does it open up? My opinion is not what is this going to stop, but what is it going to enable you to do?”

He believed that in information security, a lot of people are ‘glass half empty’ types, and GDPR is a bit of a mixed bag as there are good things and bad things, and if you go in thinking it is a bad thing, then it will be a bad thing.

“Go in with positivity. Privacy by design, privacy impact assessments and data mapping are the three biggest things – ‘where is my data’ is a big question and it is a question information security people need to understand,” he said.

“The correct way is to sit down and say ‘what are we trying to achieve’ and then risk assess the different areas of your business and say ‘what are the areas that are most and least sensitive’. I recommend looking at the ICO’s 12 step plan and working through it, as being ready is not just about getting a data protection course of policies, but how we are changing the culture of the company.

“The GDPR is very prescriptive on the way to do this, and you must have documented processes and the standards are down to one way of doing things and we will receive guidance on that.”

In conclusion, Quentyn left me with an analogy: “If data is the soil of the new economy, then risk and risk management is the fertiliser that helps it grow. Too much or the wrong type, and the plant dies. Just the right amount and it flourishes.” Let’s wait and see if GDPR will over-feed the security industry.

What’s hot on Infosecurity Magazine?