Privacy is a problem of the past, the present and the future. The world, in general, is following the digital transformation provided by the fourth industrial revolution without regard to the details of the potential impact on privacy.
As usual, Europe has already anticipated the problem, and in May 2018, will adopt a new regulation called the EU General Data Protection Regulation (GDPR) to protect personal data which aims to strengthen and unify the protection of personal data for all individuals in the European Union.
Planned to come into force on 25 May 2018, the new regulation also extends to the areas of personal data export outside the European Community and promises to offer citizens and residents further control of their data online, which naturally promotes the improvement of the relationship with digital service providers, but also simplifies the environment for international business once unification occurs.
In this way, all local and foreign companies that process data from residents in the region will be subject to a strict compliance and security regime, with severe penalties of up to 4% of worldwide turnover.
The GDPR establishes representative changes when compared to previously valid directives in the following domains: extension extraterritorial applicability; materiality of penalties; consent conditions for data capture and processing; rules for reporting violations; access rights; rights to delete captured and processed data; data portability; privacy by design by integrating data protection at the beginning of systems and service design processes, and finally by naming data protection officers based on geolocation, capacity and conflict of interest.
New definition of personal data
The European Union has also considerably expanded the definition of personal data under the GDPR. Information such as name, address, age, parent’s name, as well as online identifiers such as IP addresses or geolocation, economic, cultural or health information are also considered personally identifiable information in the eyes of the new regulation. Even personal pseudonymous data may be subject to GDPR rules depending on how easy or difficult it is to identify the owner.
In a more practical view, control and data collection were divided into two domains. The first one, the data controller, is an individual or company that defines how and why someone's personal data is being captured. The second and last domain, the data processor, is the party that effectively captures data, an individual, a public authority, an agency, or another body that processes personal data on behalf of the data controller.
It is the data controller's responsibility to ensure that the chosen processor is following the GDPR law, while data processors must maintain records of their work to show they are complying with the law and comply with GDPR. Controllers and processors, even operating outside the European Union, will have to comply with the requirements of the new regulation if they are handling data from people within the community.
The user's consent to capture and process their personal data will no longer be able to occur through, for example, bullet-points pre-selected by the applications, making companies subject to severe penalties that can reach the figure of € 20mln or 4% of annual profits, whichever is greater.
What is the size of the problem in the hands of CISO?
It is interesting now to imagine how challenging it will be and how CISOs should position themselves facing the combination of the new requirements of the data protection regulation and the mass invasion of new disruptive technologies from the digital movement of Industry 4.0—Internet of things; cloud computing; mobility, Big Data; nano-technology; neuro-technology; robots; artificial intelligence; biotechnology; location detection, drones, and 3D printers—that exponentially increase records and bring the information technology assets and environments closer together from previously distant environments and operating technology assets.
In the first analysis, companies will need to understand what data is acquired, maintained and processed, and the legal basis for it. If you work with third-party vendors who act as processors, you will need to transcend the boundaries of your own company and verify that data protection policies are being adopted to meet the regulatory requirements.
It will be necessary to completely revise its own data protection policies, establish new processes to cover the new domains introduced by GDPR, such as reporting violations, for example, but also review the processes for developing new products and services so that already provide security and data protection in the design phase and not later as an added component, and ensure that all technology that supports compliance is up and running.
It's really a lot of work in such a short time, and the CISO will need help from the whole corporation.
I particularly shudder when, by enforcement of the law, companies and people have to accelerate their maturing processes when it comes to risk management and information security management. This is when we can effectively see a qualitative leap and, once we reach the age of majority, we will also be able to see true strategic CISOs, as business enablers, valued and with control at hand. Long live the GDPR!