Regulatory Compliance

Advice from a CISO: GDPR won't create the certainty we crave

CISOs are the business leaders everyone is talking about. But what do they have to say? Richard Starnes is Chief Security Strategist at Capgemini and shares his views.

GDPR poses some technical challenges – and some people ones, too. It’s a measure of how quickly organisations are switching to data-driven models that many are still struggling to recruit data protection officers in time to comply with the new regulation.

GDPR states that for companies processing high volumes of data, a data protection officer is a mandatory hire. At any other time, that might not prove too much of a challenge, but when most other organisations are rushing to hire from the same talent pool, finding the right person before GDPR replaces current legislation next May could be problematic.

Anecdotally, some companies are looking to combine the role of the CISO with that of the new DPO in order to save money. Although in theory this is a workable solution, it’s debatable whether it remains within the spirit of the new regulation.

For those CIOs and CISOs who do find the right person, how will the roles dovetail? Will existing data practices be exposed as inadequate by ambitious DPOs? Will toes be trodden on?

There’s nothing to suggest that DPOs and CISOs can’t work well together. In the US, strict regulation means that most health companies employ a chief privacy officer. CPOs have to work hand in hand with the CISO or CIO to make sure health data complies with strict data privacy laws. That’s a congenial relationship – and both are focused on risk management and good data governance.

GDPR should be a straightforward step for most organisations but there remain a few challenges for CISOs before the new regulation comes into effect. The cost impact of non-compliance with GDPR following a data breach may result in a fine being imposed and the unpredictable cost of reputational damage and customer churn.

Bringing in new regulation won’t necessarily decrease the level of uncertainty. That’s because breaches are rarely cut and dry. In most cases your first conversation with a lawyer is about whether or not what’s happened actually constitutes a breach.

If you have anonymised data for example, is it anonymised enough to avoid being traced back to an individual? Typically that’s a complicated question. Imagine a clerical error at a hospital in which the records of a patient are accidentally sent to someone else. On the surface that is a black and white case. But let’s say the patient has a very common name, Mr A Smith, living in a large city with quite a few other Mr Smiths. One of these other Mr Smiths has received the wrong letter from the local hospital. Is that a breach of personal data? Has the original Mr Smith’s personal information been compromised?

Still confused by GDPR? Check out: What we know, and don’t know, about GDPR

One thing’s for sure: CISOs will have to improve their legal knowledge quickly. And they’ll have to document every action, every thought and every process to ensure they can demonstrate they have acted within the confines of the new regulation. Most IT departments run a ticketing system, and this should be a good enough platform to create a reliable paper trail. But for others there will be an adjustment to make, particularly if they never got around to complying with the original DPA legislation in the first place.

One change that GDPR introduces is a broader definition of what constitutes personal data. But the fact remains that it cannot be considered personal unless it can be brought back directly or indirectly to the individual. DNA is a personal identifier. A person’s name could be enough – but equally it may not be. What about an IP address? If the IP address corresponds to the location of a hotel, could that IP address be able potentially to identify indirectly an individual?

Several recent court cases decisions in Europe clarify that even dynamic IP addresses – and mobile device identification codes – are personal to an individual and must be treated accordingly.  In the case of the hotel, given it will have records on who has slept in which room and when, all of the guests could be potentially identified indirectly.

New legislation won’t mean an increase in certainty. CISOs can never be 100 per cent on matters of privacy. But when you’re uncertain, it’s vital to manage the risk. Make sure you follow the rules. Be compliant. Follow industry best practice. Record everything. And be dispassionate, not emotional.

GDPR will cause headaches. Overall though, it needn’t present insurmountable challenges for an organised CISO. But if you’re not doing your job, not working to a recognisable compliance framework and you are trying to cover mistakes up, at some point you’re going to get caught. If you do, there’s one thing you can be certain of: the cost will be big.


« News Roundup: Should hacking be considered an act of war?


Container skills desperately needed in UK enterprises »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?