A discussion about protecting your data

With changes in the current regulatory environment—such as the European Union’s upcoming General Data Protection Regulation, or GDPR, the New York Department of Financial Services, and China’s recently enacted Cyber Law, the roles of the CPO and CISO are becoming more recognized, more required and needs more collaboration.

TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.

This conversation was moderated by Robert Hessel, CEO of Source 1 Solutions. The transcript has been edited for length and brevity.

The Panelists

• Avani Desai, president, Schellman

Karen Gispanski, business information security officer, Nielsen

Michael Scott, chief privacy and security officer, Spirion

We’ve got a really interesting topic. Most people probably don’t know a lot about it, but GDPR is a very interesting topic because it affects most businesses even though they don’t know that it does. So let’s just jump right into question No. 1: What is GDPR? It’s a buzz term and an industry term, but can you explain it in layman’s terms? 

Scott: GDPR is really about protecting people, right? If you think about PCI [payment card industry compliance], you think it’s about protecting credit cards, but it’s really about protecting the credit card issuers. GDPR is much more about protecting the citizens. It’s giving individuals the right to control their data. Coming from a security background, I’ve always been protecting data. Moving into privacy is about how we use the data. So if you think about GDPR, it governs how the data is used and puts it back into the consumer’s hand to control that.

Desai: The European Union was very concerned about the United States’ privacy laws. So when I think of United States privacy laws, we’re an “uncheck the box” society. So when you go onto a website, that checkbox is always checked for you, right? To not get spam and so forth you have to uncheck the box. If you go to the EU, you have to implicitly check that box. When the EU looked at our privacy laws, they felt some of them were just nonexistent.

They were worried about keeping the EU citizen’s data safe. So GDPR came out and said, well, now, if you want to do work with EU citizens and you’re in the U.S., you have to go through this assessment. It’s still a self-assessment. There is potential for it to become a certification. We don’t know about that yet. But really what it does is it provides EU citizens comfort that the U.S. companies are doing the right things when it comes to privacy. And if they’re not doing the right thing, as you’re starting to see, some GDPR fines will occur.  

Gispanski: And I’ll add to it from a technology perspective. When you have organizations that have a lot of legacy systems the questions arise, how do I purge data if an EU individual reaches out to my organization and says, “I want to be forgotten from all of your systems.”

If you’re familiar with databases and complicated technology, that’s a very easy thing to ask for. Maybe not so easy to do. So the biggest thing that I see, being a technologist and being that business partner, is to make sure that the leaders understand first off, what are the regulatory requirements around it? Where do we have challenges? Where the data may reside, and then, how do we start solving those problems?

It’s not an easy problem to solve, but it’s a must-have. And the one thing I would also add is if an EU individual is in the U.S., they still have those same rights. You can’t think of it as where they are located and put your policies around that.

How are legacy businesses different than new businesses regarding GDPR, financially?

Desai: No compliance efforts are ever cheap. And we know that. There’s a cost of compliance and with these new privacy laws, CCPA, the California Consumer Protection Act; GDPR, which is in the EU; and every state is going to come out with their privacy laws.

So legacy versus nonlegacy. There’s a lot of managed service providers that are out there and when you outsource to a company like that, you can say to them we are going to trust you with the hopes [you’ll manage that].

The problem is, were the legacy systems built to adhere to privacy and security laws? Most of the time, no, they weren’t. They were built to meet a business objective that was out there and privacy and security may have come in on the back end. So you see a lot of these legacy systems with a lot of add-ons.

When I look at clients and they have a legacy system I’m not going to say the cost is more, but there are a lot more resources, potentially, internally that they have to go through to make sure that those systems are safeguarded and have the right controls in place.

Gispanski: If you’re starting up new technology, whether it’s in the cloud environment or on-premises software, you need to make sure, first of all, that you understand the regulatory requirements, not just GDPR. You need to truly understand it because when you’re moving your data into the cloud, you’re still responsible for the data. So yes, you can leverage the cloud providers, technology and their protections. However, you need to do the design work. You need to do your homework and understand how this cloud provider is or, perhaps your staff is, building applications to meet regulatory laws and also make sure that you have adequate monitoring so you can identify bad actors along with being able to make sure that the proper protections are across the board. My point to you is with new technology, there’s a lot of upfront work but it is worth it.

And please do not think that you can move your solutions to the cloud and all your problems go away. It’s not that easy.

Let’s talk about a legacy company, a lumberyard for example, versus a new company like an Amazon or something like that. What about the cost implications, because that kind of ties into one another. 

Scott: I come from a 50-year-old hamburger company. I think one of the problems is not only do you have technical debt, you have systems that you’re going to struggle with. You have so much procedural debt.

I think the costs are probably just more relative to the size of the business but adds complexity, because sometimes you have to go back and this company has gathered tons of data for loyalty and marketing, and now you have it and you’ve built business processes where you need it. You can’t just stop collecting.

We have a BSO, a president and a CPO on the panel. How do those roles work together and what’s the difference in your roles? 

Desai: I’m different in the sense that I’m an audit firm. How many of you like having auditors in your company? Probably nobody. We’re not like your IRS auditor. What we do is we help companies, as both of my panel mates here, to make sure that they have a third-party assessment that they can provide to their clients to show them that they are safeguarding data. And we provide independent, third-party assessments. So then they can go out to their customers, or maybe even the regulators, and say we’re doing everything that we possibly can to make sure that we meet the obligations of our customers.

Gispanski: I work closely with our executive team at Nielsen, and I establish the committee with our leadership, to outline risk. We determine what we want to focus on and make sure that everyone has an understanding of what the No. 1 risk for the organization is, and we’re going to spend X dollars on technology.

Scott: It’s kind of an interesting evolution to me because if you look around, there are very few privacy officers that grew up in that industry. You can’t have privacy without security. It’s impossible. We’re working with a business, and in my case, also working with our customers, on what are the right things to do.♦

View the event highlight reel here: https://youtu.be/772I0X-cCGM

Photos by Ryan Gautier

About Tech Connect

TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.

Presenting sponsors were Acuity, TD Bank, Nextpath Career Partners, Ecover, Three Bridge and Source 1 Solutions. Gold sponsors were DCE Productions, PSCU and Spirion. The host sponsor was CI Group.

Partnering with TBBW on this event provides an opportunity to network with the area’s business elite, generate new business opportunities and increase brand awareness.

For information about event sponsorship opportunities, email Jason Baker at jbaker@tbbwmag.com.

 [image_slider_no_space height=”300″ images=”8391,8390,8389,8388,8387,8384,8382,8381″]

You May Also Like

Vincent House and Starting Right, Now named Bank of America’s 2023 Neighborhood Builders in Tampa Bay

Bank of America has named Vincent House and Starting Right, Now as the 2023 Neighborhood Builders awardees for their work advancing economic mobility and building up underserved neighborhoods in Tampa

Visit Tampa Bay launches $1 million campaign to promote regional event spaces

Visit Tampa Bay is launching a $1 million campaign to help promote event meeting spaces in Tampa Bay, targeting meeting professionals and associations across the United States. Referencing the upgrades

Tampa General Hospital and Kitson & Partners announce partnership

Tampa General Hospital and Kitson & Partners formed an agreement to bring Tampa General’s care to Babcock Ranch, the first solar-powered town in the United States, located in southeastern Charlotte

Duke Mills wins CompLaude Award for best workers’ compensation broker in the U.S.

WorkComp Solutions, a workers’ compensation insurance firm, in Lakeland, received the CompLaude Award as the best workers’ compensation broker in the United States. The CompLaude Award is an annual accolade,

Other Posts

TRYP Air Charter expands Lakeland fleet

TRYP Air Charter has expanded its fleet of Pilatus PC-12 aircraft. The Lakeland-based air charter service now has four aircraft to serve the southeast United States and the Bahamas. The

St. Petersburg’s Studio620 announces leadership transition

Studio@620 has named Erica Sutherlin as the incoming artistic executive director, as a part of the planned transition for when founder Bob Devin Jones steps down from the role, in

On the Scene: TBBW’s Philanthropists of the Year Awards 2023 (PHOTOS) (VIDEO)

Individuals, companies and foundations were honored for their philanthropic work at Tampa Bay Business and Wealth’s Philanthropists of the Year Awards, at Armature Works, in Tampa. Presenting sponsors for the event were

One Liners Pinellas: Clearwater Marine Aquarium, PODS and more

► The owners of Mullet’s Fish Camp & Market, located at 3901 6th Street South, St. Petersburg, are opening a dessert bar, at 3910 6th Street South, St. Petersburg. (Pictured above)