Companies must continue to take all the necessary steps to make sure they are going to be compliant with the EU’s General Data Protection Regulation (GDPR) once it goes into effect May 25 because violating that new law can prove costly, according to Michelle Dennedy, Cisco VP and chief privacy officer.
Investing in GDPR compliance initiatives like Cisco has done might not be cheap, but must be done because “it isn’t just that the fines in GDPR can be up to 4 percent of your global turnover” as a company, she said Feb. 20 during the webinar “GDPR – Security at the Service of Privacy.”
Investment costs are “a drop in the bucket when you look at the outside risk number,” and “also a drop in the bucket when you look at today’s digitized society, where we are so information-led,” she said, adding: “I think, at the minimum, you should have at least some sort of executive leadership really guiding the way and then making sure throughout job categories, making sure there’s some awareness and ability to deal and manage with data. I think it’s the new currency.”
It could also be easier for companies smaller than Cisco to become compliant. “In some ways, smaller companies have the advantage here because getting a hold on how you’re going to actually govern your data is somewhat easier if you have less,” Dennedy said.
When looking at what Cisco had to do to achieve GDPR compliance, she said: “What we’ve had to do is really look at all three key elements – sort of the DNA of any governance program: people, process and technology, figuring out across the globe what are the data needs and requirements of the types of businesses and the types of customers we have.”
Looking at the types of products Cisco sells, many of them are “not data-aware” because “they pass data through without maybe collecting or being visible unless there’s maybe a servicing issue,” she said. But then there’s other Cisco products that are “quite intense, where we’re capturing your face and your voice and your documentation and your interactions; they’re quite intimate for your working lives,” she said.
Cisco also looked at “the type of culture that we have,” and had to “figure out what kind of tolerance for governance” there is, she said. Cisco is working in a sector that’s not like the financial and healthcare sectors, “where there’s a lot of specific regulations around what we do and serve,” she noted. But Cisco customers are all “bound by a number of different regulations,” she noted.
It was also important that Cisco looked at the technology tools and services that Cisco has and uses, she said, indicating that all companies must go through similar efforts to make sure they’re in compliance with GDPR.
Encryption is “not a silver bullet” for companies to control their data, she also warned, noting it “gives a false sense of security.”
Blockchain technology, meanwhile, may be a big help for companies dealing with a lot of data, but maybe not immediately, according to Dennedy. She explained: “Blockchain right now is sort of like teenage canoodling. Everybody is very interested in it. Everyone talks about it all the time. One or two people are actually implementing and using it in practice and they’re probably not very good at it yet.”
But she added that blockchain, along with artificial intelligence and machine learning, are “all ingredients of what governance looks like in the future.”
In the same webinar, Ariel Silverstone, managing partner at Data Protectors, provided recommendations for what companies can do to gain GDPR compliance. But he said: “I don’t recommend that people tailor solutions for the GDPR. I believe that the GDPR is a part of a global wave of regulation.”
Companies “need to be flexible because you can’t continue to treat your data again and again and again for every peculiar regulation” that goes into effect, he said.
He offered three main suggestions for what companies should do. First, he said: “You should know where your data is. It’s easy to say. It’s hard to do. It does not necessarily mean data mapping. But you really should know where your sensitive data” is located.
Second, he said: “You should be aware of the exposure that you have.” That’s because a company doesn’t have to be based in Europe to be impacted by GDPR. Many companies that don’t operate in Europe operate web sites that people in Europe visit, so they “might be subject to the GDPR,” Silverstone said.
He also cautioned companies to not be afraid of GDPR. They should divide their data into groups based on what’s the most sensitive data and focus their efforts on the “most sensitive and the most visible first,” he said.
Also, “do not collect what you don’t need” when it comes to data because, if you collect any data, you must make sure there is a “permissible reason” to have it, companies have a responsibility to keep it up to date if they have it, and all that data requires a lot of storage capability and efforts to maintain it, he said. Companies should purge data they no longer need because a company is no longer responsible for data that they get rid of in a responsible way under GDPR, he said.