Managing the Web of Data Protection and Global Regulation

What are businesses doing differently now that the GDPR has taken effect? That was the topic of discussion in two executive boardroom sessions moderated by PKWARE CEO Miller Newton.

The discussions took place during recent Evanta CISO Executive Summits in San Francisco and London, bringing together information security executives from major corporations on both sides of the Atlantic.

Executive boardrooms—private, interactive sessions designed to create a dialogue around a key topic— are popular events, allowing attendees to join their peers to discuss and learn how others are executing and thinking about their data security initiatives. The topic for the San Francisco and London boardrooms was "Managing the Web of Data Protection and Global Regulation."

Here’s a look at the recurring themes and key takeaways that emerged from the sessions:

Many organizations underestimated the significance of GDPR

Boardroom participants reported that many of their business units initially saw GDPR compliance as simple as a "flip of a security switch." Once they began to assess their actual readiness, they realized how complex the task of finding and securing sensitive data can be. Many companies are still working to determine what they need to do in order to fully protect their data.

Executive involvement makes a difference

Companies whose senior leaders were engaged in the process tended to have more success in their GDPR compliance journeys. Executive involvement made it easier to get the necessary resources, and to communicate the importance of compliance throughout the organization.

It helps to get outside advice

CISOs at the boardroom sessions agreed that outside legal counsel is especially helpful for companies to ensure they are following process toward progress in GDPR compliance and other government mandates.

DPOs are hard to find

Many CISOs are struggling to determine who in the organization should be assigned to the Data Protection Officer (DPO) role. One of the more commonly-mentioned approaches was to hire an external DPO—someone who is not tied to the company’s legal or security teams, and can make an objective assessment of data privacy processes and risks.

Data discovery is a key concern

How can you ensure that data is protected when you don’t know where it is? Most companies are still dealing with that challenge and are in the process of trying to locate their sensitive data. (If your organization is in a similar spot, be sure to explore Smartcrypt’s automated discovery, classification, and data protection capabilities.

The right to be forgotten is a huge challenge

Almost every CISO who participated in the boardroom sessions said that complying with the GDPR "right to be forgotten" remains a serious problem. Few companies feel that they have the tools or processes in place to identify and delete the correct data when they receive a valid request for deletion from an EU citizen.

Everyone is watching for the next breach

Naturally, the first GDPR “failure” that goes to court is of major interest to every company that is subject to the law. CISOs are waiting to see how the supervisory authorities will build their cases, what evidence will be obtained, and how it will be used. The size of the resulting fine will be just as interesting. Most organization won’t feel that they fully understand what’s being defined as a GDPR breach until they see the enforcement process in action.

PKWARE’s Smartcrypt is the only data security platform that integrates data discovery, classification, and protection into a single workflow. With Smartcrypt, you can find, protect, and manage sensitive data across the entire organization from a single point of control.