Need for collaboration among security, privacy professionals extends beyond GDPR

As we close within two months of the deadline for implementing the European Union’s General Data Protection Regulation (GDPR), enterprises around the world are still grappling not only with preparing for compliance, but what GDPR will mean on an ongoing basis.

GDPR represents a profound change in how personal data and privacy considerations will be handled for all organizations that process EU residents’ personal data. While feeling a level of trepidation is to be expected for enterprises preparing for the May 25 compliance deadline, GDPR will ultimately lead to stronger connections among and between security and privacy professionals, as well as more extensive cross-functional enterprise collaborations. Enhancing these channels of communication will enable enterprises to comply with GDPR and should also better equip organizations to meet a range of other challenges, facilitating enduring organizational improvements. 

Many enterprises pursuing GDPR compliance have discovered substantial gaps through assessing their current state and where they need to be in order to be fully GDPR-compliant. To properly identify and work toward addressing those gaps in people, processes and technology, experts from across the organization — ranging from the legal team, to those engaged with third parties within the supply chain, to the new role of Data Protection Officer (DPO) — must share their expertise. Nowhere is the need for effective collaboration more pertinent than between security and privacy professionals, and that is an approach that should extend well beyond the compliance deadline. 

How to avoid expensive fixes

One of the natural areas for collaboration between security and privacy professionals is in the creation and deployment of products, services and solutions. This can help facilitate solid innovation governance and makes certain that “privacy by design” and “security by design” are part of the foundation of whatever is being created. By incorporating both privacy by design and security by design at these early stages, cost savings are realized by avoiding expensive fixes once products are introduced. Organizations also realize other important benefits — continued customer support for offerings, and no damage to brand reputation in the marketplace. These might seem like intangibles, but shareholders would beg to differ.

Increasingly, our professional community sees the value in becoming well-versed in related professional disciplines. Just as auditors benefit from learning about cybersecurity, privacy and security professionals should pursue the knowledge and training that will enable them to apply a broader understanding of the intertwined challenges that impact their enterprises. In some ways, the job market will take care of this for us. As more employers seek security professionals with solid privacy expertise — or privacy professionals with solid security expertise — job postings will reflect those needs, which will chip away at the ‘silo-ing’ factor. This dynamic will be accelerated by the increased emphasis on data privacy leading up to — and beyond – GDPR implementation.

As the buildup to the May 25 enforcement deadline ramps up, ISACA and others have done their best to address a range of misconceptions that have taken root — such as the errant belief that GDPR does not apply to small businesses, or that cloud providers are responsible for the organization’s GDPR compliance. GDPR is not a checklist to be completed, separate from the enterprise’s core functions and capabilities. Compliance with GDPR needs to be a basic, foundational element of the organization’s operations, capabilities and decision-making. ISACA’s recently published implementation guide offers a hands-on view of how organizations can achieve GDPR compliance and transition toward a lasting data protection management system.

Privacy reimagined

It has long been clear that major process improvements are in order. For years, “privacy is dead” headlines have made the rounds in the media. ISACA’s own 2014 research showed that a whopping 94% of respondents were concerned about the decreasing level of personal privacy. Those concerns have only intensified in subsequent years as a flurry of major data breaches and the proliferation of data-producing personal devices have left privacy advocates feeling like they are dealing with a deck stacked against them.   

GDPR marks an important step forward for data privacy. In a world of rapid technology changes and amid an increasingly complex regulatory and compliance environment, embracing a cross-functional approach that brings all of an enterprise’s necessary knowledge to the table is the only viable way forward. In the future, we might find ourselves not speaking in terms of “security” or “privacy,” but in terms of “protected,” “closed,” or “impenetrable.”

We live in times of promising digital transformation, with artificial intelligence, blockchain and an array of Internet of Things (IoT) devices among the technologies capable of positively impacting our personal and professional lives. Yet, enterprises need to mitigate the associated risks in order to improve business performance and results. As they do so, data privacy considerations must heavily factor into the enterprise’s considerations. GDPR has prompted more of those cross-functional conversations to take place in recent months, and organizations would be well-served to continue them long after May 25 has come and gone.