With changes in the current regulatory environment—such as the European Union’s upcoming General Data Protection Regulation, or GDPR, the New York Department of Financial Services, and China’s recently enacted Cyber Law, the roles of the CPO and CISO are becoming more recognized, more required and needs more collaboration.
TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.
This conversation was moderated by Robert Hessel, CEO of Source 1 Solutions. The transcript has been edited for length and brevity.
The Panelists
• Avani Desai, president, Schellman
• Karen Gispanski, business information security officer, Nielsen
• Michael Scott, chief privacy and security officer, Spirion
We’ve got a really interesting topic. Most people probably don’t know a lot about it, but GDPR is a very interesting topic because it affects most businesses even though they don’t know that it does. So let’s just jump right into question No. 1: What is GDPR? It’s a buzz term and an industry term, but can you explain it in layman’s terms?
Scott: GDPR is really about protecting people, right? If you think about PCI [payment card industry compliance], you think it’s about protecting credit cards, but it’s really about protecting the credit card issuers. GDPR is much more about protecting the citizens. It’s giving individuals the right to control their data. Coming from a security background, I’ve always been protecting data. Moving into privacy is about how we use the data. So if you think about GDPR, it governs how the data is used and puts it back into the consumer’s hand to control that.
Desai: The European Union was very concerned about the United States’ privacy laws. So when I think of United States privacy laws, we’re an “uncheck the box” society. So when you go onto a website, that checkbox is always checked for you, right? To not get spam and so forth you have to uncheck the box. If you go to the EU, you have to implicitly check that box. When the EU looked at our privacy laws, they felt some of them were just nonexistent.
They were worried about keeping the EU citizen’s data safe. So GDPR came out and said, well, now, if you want to do work with EU citizens and you’re in the U.S., you have to go through this assessment. It’s still a self-assessment. There is potential for it to become a certification. We don’t know about that yet. But really what it does is it provides EU citizens comfort that the U.S. companies are doing the right things when it comes to privacy. And if they’re not doing the right thing, as you’re starting to see, some GDPR fines will occur.
Gispanski: And I’ll add to it from a technology perspective. When you have organizations that have a lot of legacy systems the questions arise, how do I purge data if an EU individual reaches out to my organization and says, “I want to be forgotten from all of your systems.”
If you’re familiar with databases and complicated technology, that’s a very easy thing to ask for. Maybe not so easy to do. So the biggest thing that I see, being a technologist and being that business partner, is to make sure that the leaders understand first off, what are the regulatory requirements around it? Where do we have challenges? Where the data may reside, and then, how do we start solving those problems?
It’s not an easy problem to solve, but it’s a must-have. And the one thing I would also add is if an EU individual is in the U.S., they still have those same rights. You can’t think of it as where they are located and put your policies around that.
How are legacy businesses different than new businesses regarding GDPR, financially?
Desai: No compliance efforts are ever cheap. And we know that. There’s a cost of compliance and with these new privacy laws, CCPA, the California Consumer Protection Act; GDPR, which is in the EU; and every state is going to come out with their privacy laws.
So legacy versus nonlegacy. There’s a lot of managed service providers that are out there and when you outsource to a company like that, you can say to them we are going to trust you with the hopes [you’ll manage that].
The problem is, were the legacy systems built to adhere to privacy and security laws? Most of the time, no, they weren’t. They were built to meet a business objective that was out there and privacy and security may have come in on the back end. So you see a lot of these legacy systems with a lot of add-ons.
When I look at clients and they have a legacy system I’m not going to say the cost is more, but there are a lot more resources, potentially, internally that they have to go through to make sure that those systems are safeguarded and have the right controls in place.
Gispanski: If you’re starting up new technology, whether it’s in the cloud environment or on-premises software, you need to make sure, first of all, that you understand the regulatory requirements, not just GDPR. You need to truly understand it because when you’re moving your data into the cloud, you’re still responsible for the data. So yes, you can leverage the cloud providers, technology and their protections. However, you need to do the design work. You need to do your homework and understand how this cloud provider is or, perhaps your staff is, building applications to meet regulatory laws and also make sure that you have adequate monitoring so you can identify bad actors along with being able to make sure that the proper protections are across the board. My point to you is with new technology, there’s a lot of upfront work but it is worth it.
And please do not think that you can move your solutions to the cloud and all your problems go away. It’s not that easy.
Let’s talk about a legacy company, a lumberyard for example, versus a new company like an Amazon or something like that. What about the cost implications, because that kind of ties into one another.
Scott: I come from a 50-year-old hamburger company. I think one of the problems is not only do you have technical debt, you have systems that you’re going to struggle with. You have so much procedural debt.
I think the costs are probably just more relative to the size of the business but adds complexity, because sometimes you have to go back and this company has gathered tons of data for loyalty and marketing, and now you have it and you’ve built business processes where you need it. You can’t just stop collecting.
We have a BSO, a president and a CPO on the panel. How do those roles work together and what’s the difference in your roles?
Desai: I’m different in the sense that I’m an audit firm. How many of you like having auditors in your company? Probably nobody. We’re not like your IRS auditor. What we do is we help companies, as both of my panel mates here, to make sure that they have a third-party assessment that they can provide to their clients to show them that they are safeguarding data. And we provide independent, third-party assessments. So then they can go out to their customers, or maybe even the regulators, and say we’re doing everything that we possibly can to make sure that we meet the obligations of our customers.
Gispanski: I work closely with our executive team at Nielsen, and I establish the committee with our leadership, to outline risk. We determine what we want to focus on and make sure that everyone has an understanding of what the No. 1 risk for the organization is, and we’re going to spend X dollars on technology.
Scott: It’s kind of an interesting evolution to me because if you look around, there are very few privacy officers that grew up in that industry. You can’t have privacy without security. It’s impossible. We’re working with a business, and in my case, also working with our customers, on what are the right things to do.♦
View the event highlight reel here: https://youtu.be/772I0X-cCGM
Photos by Ryan Gautier
About Tech Connect
TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.
Presenting sponsors were Acuity, TD Bank, Nextpath Career Partners, Ecover, Three Bridge and Source 1 Solutions. Gold sponsors were DCE Productions, PSCU and Spirion. The host sponsor was CI Group.
Partnering with TBBW on this event provides an opportunity to network with the area’s business elite, generate new business opportunities and increase brand awareness.
For information about event sponsorship opportunities, email Jason Baker at [email protected].
[image_slider_no_space height=”300″ images=”8391,8390,8389,8388,8387,8384,8382,8381″]
