A discussion about protecting your data

With changes in the current regulatory environment—such as the European Union’s upcoming General Data Protection Regulation, or GDPR, the New York Department of Financial Services, and China’s recently enacted Cyber Law, the roles of the CPO and CISO are becoming more recognized, more required and needs more collaboration.

TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.

This conversation was moderated by Robert Hessel, CEO of Source 1 Solutions. The transcript has been edited for length and brevity.

The Panelists

• Avani Desai, president, Schellman

Karen Gispanski, business information security officer, Nielsen

Michael Scott, chief privacy and security officer, Spirion

We’ve got a really interesting topic. Most people probably don’t know a lot about it, but GDPR is a very interesting topic because it affects most businesses even though they don’t know that it does. So let’s just jump right into question No. 1: What is GDPR? It’s a buzz term and an industry term, but can you explain it in layman’s terms? 

Scott: GDPR is really about protecting people, right? If you think about PCI [payment card industry compliance], you think it’s about protecting credit cards, but it’s really about protecting the credit card issuers. GDPR is much more about protecting the citizens. It’s giving individuals the right to control their data. Coming from a security background, I’ve always been protecting data. Moving into privacy is about how we use the data. So if you think about GDPR, it governs how the data is used and puts it back into the consumer’s hand to control that.

Desai: The European Union was very concerned about the United States’ privacy laws. So when I think of United States privacy laws, we’re an “uncheck the box” society. So when you go onto a website, that checkbox is always checked for you, right? To not get spam and so forth you have to uncheck the box. If you go to the EU, you have to implicitly check that box. When the EU looked at our privacy laws, they felt some of them were just nonexistent.

They were worried about keeping the EU citizen’s data safe. So GDPR came out and said, well, now, if you want to do work with EU citizens and you’re in the U.S., you have to go through this assessment. It’s still a self-assessment. There is potential for it to become a certification. We don’t know about that yet. But really what it does is it provides EU citizens comfort that the U.S. companies are doing the right things when it comes to privacy. And if they’re not doing the right thing, as you’re starting to see, some GDPR fines will occur.  

Gispanski: And I’ll add to it from a technology perspective. When you have organizations that have a lot of legacy systems the questions arise, how do I purge data if an EU individual reaches out to my organization and says, “I want to be forgotten from all of your systems.”

If you’re familiar with databases and complicated technology, that’s a very easy thing to ask for. Maybe not so easy to do. So the biggest thing that I see, being a technologist and being that business partner, is to make sure that the leaders understand first off, what are the regulatory requirements around it? Where do we have challenges? Where the data may reside, and then, how do we start solving those problems?

It’s not an easy problem to solve, but it’s a must-have. And the one thing I would also add is if an EU individual is in the U.S., they still have those same rights. You can’t think of it as where they are located and put your policies around that.

How are legacy businesses different than new businesses regarding GDPR, financially?

Desai: No compliance efforts are ever cheap. And we know that. There’s a cost of compliance and with these new privacy laws, CCPA, the California Consumer Protection Act; GDPR, which is in the EU; and every state is going to come out with their privacy laws.

So legacy versus nonlegacy. There’s a lot of managed service providers that are out there and when you outsource to a company like that, you can say to them we are going to trust you with the hopes [you’ll manage that].

The problem is, were the legacy systems built to adhere to privacy and security laws? Most of the time, no, they weren’t. They were built to meet a business objective that was out there and privacy and security may have come in on the back end. So you see a lot of these legacy systems with a lot of add-ons.

When I look at clients and they have a legacy system I’m not going to say the cost is more, but there are a lot more resources, potentially, internally that they have to go through to make sure that those systems are safeguarded and have the right controls in place.

Gispanski: If you’re starting up new technology, whether it’s in the cloud environment or on-premises software, you need to make sure, first of all, that you understand the regulatory requirements, not just GDPR. You need to truly understand it because when you’re moving your data into the cloud, you’re still responsible for the data. So yes, you can leverage the cloud providers, technology and their protections. However, you need to do the design work. You need to do your homework and understand how this cloud provider is or, perhaps your staff is, building applications to meet regulatory laws and also make sure that you have adequate monitoring so you can identify bad actors along with being able to make sure that the proper protections are across the board. My point to you is with new technology, there’s a lot of upfront work but it is worth it.

And please do not think that you can move your solutions to the cloud and all your problems go away. It’s not that easy.

Let’s talk about a legacy company, a lumberyard for example, versus a new company like an Amazon or something like that. What about the cost implications, because that kind of ties into one another. 

Scott: I come from a 50-year-old hamburger company. I think one of the problems is not only do you have technical debt, you have systems that you’re going to struggle with. You have so much procedural debt.

I think the costs are probably just more relative to the size of the business but adds complexity, because sometimes you have to go back and this company has gathered tons of data for loyalty and marketing, and now you have it and you’ve built business processes where you need it. You can’t just stop collecting.

We have a BSO, a president and a CPO on the panel. How do those roles work together and what’s the difference in your roles? 

Desai: I’m different in the sense that I’m an audit firm. How many of you like having auditors in your company? Probably nobody. We’re not like your IRS auditor. What we do is we help companies, as both of my panel mates here, to make sure that they have a third-party assessment that they can provide to their clients to show them that they are safeguarding data. And we provide independent, third-party assessments. So then they can go out to their customers, or maybe even the regulators, and say we’re doing everything that we possibly can to make sure that we meet the obligations of our customers.

Gispanski: I work closely with our executive team at Nielsen, and I establish the committee with our leadership, to outline risk. We determine what we want to focus on and make sure that everyone has an understanding of what the No. 1 risk for the organization is, and we’re going to spend X dollars on technology.

Scott: It’s kind of an interesting evolution to me because if you look around, there are very few privacy officers that grew up in that industry. You can’t have privacy without security. It’s impossible. We’re working with a business, and in my case, also working with our customers, on what are the right things to do.♦

View the event highlight reel here: https://youtu.be/772I0X-cCGM

Photos by Ryan Gautier

About Tech Connect

TBBW’s Tech Connect events were created to bring together subject matter experts behind the ever-changing technology conversation.

Presenting sponsors were Acuity, TD Bank, Nextpath Career Partners, Ecover, Three Bridge and Source 1 Solutions. Gold sponsors were DCE Productions, PSCU and Spirion. The host sponsor was CI Group.

Partnering with TBBW on this event provides an opportunity to network with the area’s business elite, generate new business opportunities and increase brand awareness.

For information about event sponsorship opportunities, email Jason Baker at [email protected].

 [image_slider_no_space height=”300″ images=”8391,8390,8389,8388,8387,8384,8382,8381″]

You May Also Like
Hurricane Alliance Town Hall: 6 Ways Not to Lose Your Home After the Storms

Tampa Bay residents still navigating the aftermath of Hurricanes Helene and Milton are invited to attend a Hurricane Alliance Town Hall, a free event designed to provide insights and critical

Read More
South Tampa Chamber to celebrate 99 years at annual meeting

The South Tampa Chamber of Commerce will host its Annual Meeting and Awards Celebration on Dec. 11, 2024, at the Centre Club, in Tampa, presented by Tampa General Hospital. The

Read More
Ritz-Carlton Sarasota offering festive holiday experiences

The Ritz-Carlton Sarasota is offering a variety of luxury experiences, festive dining, wellness treatments and family-friendly activities. Highlights include a life-size gingerbread display, crafted by the resort’s pastry team, themed

Read More
A naughty elf and whiskey galore: Joy Bar spreads festive fun in Tampa

Christmas comes but once a year—unless you’re at Joy Bar, Tampa Bay’s only year-round Christmas-themed bar. This December, Joy Bar is decking its halls with festive fun, from live music

Read More
joy-bar-tampa
Other Posts
Dutkowsky family donates $1 million to renovate lobby St. Joseph’s Women’s Hospital

St. Joseph’s Hospitals Foundation has announced a $1 million donation from the Dutkowsky family, of Tampa, to fund a renovated lobby at St. Joseph’s Women’s Hospital, marking the facility’s 50th

Read More
Dutkowsky-donation-st-joesphs
Women’s Conference of Florida 2024: Inspiring Leadership, Empowering Change

The 2024 conference happens in downtown Tampa on Dec. 13

Read More
Tampa trucking company reports growth with AI-driven sales tools

Sun State International Trucks, a family-owned truck dealership based in Tampa, has reported a 10 percent increase in productivity, and time savings, for its sales representatives after implementing a series

Read More