CISOs and GDPR: The Top 3 Concerns
GDPR compliance is so relevant today because, well, it comes into effect starting tomorrow, May 25, 2018. The time for talking about how to prepare is over. What’s important now is dealing with the inevitable reality of GDPR, but that’s difficult given that there is uncertainty in some cases on exactly how, where, and when GDPR is going to be enforced.
In “The CISOs Guide to GDPR”, expert Thomas Fischer offered up the three main concerns he’s hearing most often from CISOs regarding GDPR.
1) Uncertainty of potential GDPR fines
CISOs are unsure as to the potential value of fines to be levied against organizations for non-compliance. But worrying about fines shouldn’t be on a CISOs mind. What should be is compliance.
“I would much rather CISOs focus their attention on the things they can control and can implement to comply,” says Fischer. “This includes ensuring proper accountability is in place, personal data is correctly and securely used and stored and putting in place a means to demonstrate this.”
To help allay concerns around fines, Elizabeth Denham, UK Information Commissioner, recently wrote that GDPR is less about fines and more about “putting the consumer and citizen first.” She added that “focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
2) Confusion around what exactly needs to be done to be GDPR compliant
Fisher says many CISOs are still uncertain about what exactly needs to be done to comply with GDPR, including what’s affected, what exactly is or is not personal data, and how to determine which personal data is their responsibility.
“This confusion probably stems from the need to both protect a data subject’s personal data whilst also meeting the original intent of the GDPR, which is to give data subjects more power over their personal data,” adds Fisher.
3) How much work needs to be done to achieve GDPR compliance
GDPR compliance is going to take some work, obviously. But just how much work, and where it will need to be applied, may still be uncertain in some cases.
“Fundamentally, CISOs are beginning to see that the GDPR will require nothing short of a paradigm shift in how companies treat personal data,” says Fischer. How organizations treat this data, how they find it, and how they enable its compliance, is all subject to debate at this point.
Staying focused to achieve GDPR compliance
There’s a lot of fear, uncertainty, and doubt swirling around GDPR, which we addressed here, and the FUD throwers seem to be doing well at sowing all three, for better or worse. Our advice is to celebrate what you've accomplished to date, and stay focused on areas where you may not have achieved compliance. May 25th will come and go, and over time some concerns (like #2 listed above), will play out and clarity will arrive.
If you want some info to share with bosses, co-workers, and friends; a great place to start is the U.K.’s Information Commissioner’s Office 12 Step Guide to GDPR Compliance to help organizations get their shop in order. GDPR also has operational requirements, the most notable being the appointment of a Data Protection Officer. For more information, listen to what Debra J. Farber, noted data security and privacy expert, had to say about the details of this critical new role.