EU data privacy reboot: A burden or a big break for CIOs?
Fueled by revelations about mass US government snooping, the European Union (EU) is cracking down on data privacy. The European Court of Justice declared the 15-year-old Safe Harbour pact, which allows the movement of EU citizen data across the Atlantic, invalid in October 2015 for failing to protect the fundamental rights of Europeans. It is now being replaced by stricter legislative agreements, including the EU-US Privacy Shield and the newly proposed EU General Data Protection Regulation (GDPR).
For CIOs in the US and Europe, these new privacy agreements herald a new standard for handling the data of EU citizens. Corporate reputations, revenue penalties and legal exposure — they are all on the line as IT leaders struggle to make sense of these emerging data privacy rules. Indeed, many of these laws are still being negotiated, putting CIOs in a precarious state of limbo when it comes to handling data transfers. Just this April, for instance, the Article 29 Data Protection Working Party, an advisory watchdog, warned the EU Commission and the US that the proposed Privacy Shield doesn’t offer sufficient guarantees on the security of EU citizen’s data. This may well result in both regions having to revisit the agreement.
Certainly, US-based CIOs in the healthcare and financial sectors are already familiar with legislative hurdles such as HIPAA and PCI, respectively. But the EU’s data protection developments raise the bar significantly.
“The US has some of the most stringent data privacy laws in the world but they are very specific and apply to very narrow circumstances,” says Vinod Bange, a partner with Taylor Wessing who heads the international law firm’s UK data protection and privacy practice. “The fundamental difference is that the GDPR and European privacy law build a framework for data privacy that applies to all organizations, and one that’s sector-agnostic.”
Even CIOs in privacy-conscious Europe face unprecedented hurdles. “The EU’s data protection regulation poses a very significant challenge in the sense that it’s not just a technological problem,” says Lukas Feiler, a senior associate and head of the IP and IT team at international law firm Baker & McKenzie in Vienna. “The regulation is a very complex, legal framework; it’s more than 100 pages; it contains a lot of legalese; and it’s very vague in some respects. You have to have a certain level of familiarity with data protection regulations.”
But while the EU’s regulations up the ante, they also present CIOs with a unique opportunity to gain a seat at the C-suite’s table. That’s because business leaders must now work hand in hand with IT professionals to ensure the new requirements are met, including total compliance, greater transparency and increased cross-border co-operation. But journeying from the IT department to the boardroom requires an understanding of the regulatory changes in play. For those that gain the proper knowledge of this new privacy foundation, there could be significant career advantages.
The most pressing concerns of the GDPR and the Privacy Shield are the financial responsibilities these laws place on businesses with European customers. This includes penalties of up to 4% of a company’s global revenues if it fails to comply.
In fact, according to a recent Ovum survey entitled ‘Data privacy laws: Cutting the red tape,’ a whopping 52% of respondents think that new data protection regulations will result in fines for their company, while two-thirds expect it to force changes in their strategy in Europe. And when asked about investing in greater data protection capabilities, 55% plan on new training for employees and 53% will prepare by adopting new technologies.
“Getting things wrong, or a breach, under the GDPR will attract far higher penalties than what we have under the current law,” says Bange. “So IT has to pay greater attention to points that were once considered as housekeeping.”New legal skill set
Another fundamental shift is the complex legal nature of the EU’s data privacy laws, especially for IT leaders. “The legal requirements and the IT requirements of data protection are two very different aspects so it’s not easy for the CIO,” warns Jean-Pierre Heymans, founder of Heymans Consulting, a Belgium-based data privacy consultancy.
Bange agrees. “CIOs will have to get their heads around new compliance and requirements sets,” he says. “There’s no way around it; they’re just going to have to do it. The C-suite, in particular, needs to know what these laws will mean in terms of liability, change and budget from a corporate perspective.”
Short of enrolling on a law course, Bange says the smartest way for CIOs to gain a deeper understanding of today’s more stringent laws is to seek the assistance of seasoned law and privacy professionals, and to incorporate their feedback into IT workflows. Says Bange: “IT leaders will be looking towards legal and compliance expertise to embed into their processes, and use it to manage privacy by design and security by design.”
Appointing a data privacy officer can also go a long way towards satisfying EU regulations. In fact, the GDPR stipulates that multinational companies with more than 250 employees are required to hire or nominate a data privacy officer to oversee data governance. For small businesses with limited funds, Feiler says, “it might be a good option to appoint the CIO as a data protection officer.”
Organizations with deeper pockets, on the other hand, are more likely to hire a dedicated, full-time data protection officer. However, it’s difficult to find a suitable candidate — an individual with a keen understanding of both technology demands and legal requirements. Either way, Feiler says: “Whether you have a legal background or not, it’s necessary for a CIO to learn the rules of the game.”
Turning the EU’s data privacy regulations into a career opportunity also requires CIOs to be more open to collaboration with non-IT entities. “This isn’t just an IT issue anymore,” warns Bange. “Data privacy and complying with the GDPR is not simply about handing things over to your IT manager to deal with. It’s far bigger than that; it requires governance and accountability from the very top.”
For this reason, Bange stresses that it’s critical organizations “gather their C-suite stakeholders together and really wake them up. You’ve got to shout about it and get their attention.”
At the same time, IT leaders, often accustomed to working independently, need to be open to working side by side with business line leaders and pooling their resources. “CIOs cannot treat [EU regulations] as something that the legal department is taking care of because the legal department might not have the necessary technological expertise,” says Feiler. “You really have to bring both [skill sets] to the table.”
Getting the board onboard
Fortunately, for CIOs who take the time to dive into the legal complexities of data privacy rules and collaborate with business line leaders, the rewards are considerable. “IT leaders have already identified data privacy as a very important issue,” says Feiler.
“The good news is that they will now have boardroom-level attention,” he says. “Up until recently, it was often difficult for CIOs to get the necessary budget and the necessary resources for their projects. With this compliance regime in place, it will become significantly easier to communicate the importance of properly implementing and documenting IT processes, and making sure that IT security concerns are taken into account.”
With greater responsibility, though, comes greater risk. “The bad news is,” adds Feiler, “if things go wrong, the consequences are not just a bad headline in the newspapers, but a very, very hefty fine.”
Planning for the new privacy landscape
Luckily, there are steps CIOs can take to raise their corporate profile while reducing the risk of legal and financial exposure. For starters, CIOs need to take a good look at the type of data they’re storing and where. Hybrid infrastructures, corporate mergers, shadow IT – they’re all factors that can scatter data across silos and hinder an IT leader’s ability to know what data they need to protect and why.
“Start putting a data inventory together. Understand where your data is and start looking at your IT infrastructure,” recommends Bange.
Another step in the right direction is deploying innovative technologies. The GDPR dictates that, in the event of a personal data breach, an organization must notify the appropriate authorities within 72 hours of becoming aware of the exposure. That will be a major change in direction for many IT leaders who are accustomed to focusing on breach preventions and damage limitation. Instead, CIOs must focus on putting the right breach detection and incident response solutions in place to ensure quick notification.
“Being able to detect a security breach and then being able to respond to it in an adequate manner is something that absolutely requires technological solutions,” says Feiler. “A network-based intrusion detection system is basically state of the art and should already be deployed in every network.”
And they should be deployed quickly. Once ratified, the GDPR is due to become law by 2018 across all 28 EU member states. But a lengthy timeframe shouldn’t lull CIOs into a false sense of security. Successfully satisfying these new data privacy requirements entails getting as far ahead of the game as possible.
“Familiarize yourself with the requirements of the regulation early on,” advises Feiler. “Many corporations are saying this is still two years down the road, but the time will come when the regulations will suddenly kick in.”