As part of the TrustArc Privacy Insight Series Webinars, Andre Mintz EVP, CISO, CPO at Red Ventures, Martin Gomberg, Senior Consultant at TrustArc, and Margaret Alston, Consulting Director at TrustArc presented “What the GDPR Means for your Cybersecurity Strategy.” This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
Companies have the increasingly difficult task of measuring privacy and security needs against innovation and globalization. During the webinar, Martin discussed a common pitfall that many companies faced before GDPR. Cyber and cyber security events coverage in the news is much more prevalent than privacy coverage. This discrepancy in coverage oftentimes skews budgets and attention away from privacy toward security. However, as of late, the GDPR has received attention because of the large fines (up to 4% of a company’s annual revenue or 20 million euros) associated with failure to comply. In a poll conducted during the webinar, 64% of participating attendees said they were “almost there” in the journey to GDPR compliance. This number is very similar to the findings in the TrustArc research, which found that 60% of respondents estimated they would achieve compliance by year end (2018).
During the webinar, our panelists discussed whether cyber controls are the same as privacy controls. While the short answer is no, the discussion highlighted key differences that companies need to address. At a high level, cyber controls focus on monitoring, testing, detection, analysis, correlation, response, review, reinforcement and defense. Privacy controls focus on minimization, obfuscation, informed choice, individual data rights, and Privacy by Design.
Martin noted that, although undefined, organizational and technical measures are risk aligned and should be proportionate to the need. These measures can be operational, organizational, staffing-related, structural or procedural. For example, hiring an expert CISO is a measure that some would consider reasonable, depending on circumstance.
Later in the webinar, the speakers went on to discuss how the GDPR applies to cloud computing. The cloud moves data out of direct control, which means effective contracts are key. Andre pointed out that he thinks of cloud processors as an extension of his own team, although a virtual one. A best practice tip he provided was that the external third party vendor should have the same guidance, procedures, policies and best practices as your own company. The contractual expectations between the controller and the processor need to be incredibly clear.
The webinar also covered these topics:
- Inventory networks, systems, data location, purpose, need, owners and controls
- Assessing business gaps to the law
- Mapping business processes and movement of data
- Risk assessments for data and system assets
- Evaluating contracts and disclosures
- Data owner choice, rights, and controls
- How to correct deficiencies
To hear about additional recommendations, watch the webinar on-demand or download the slides.