Your choice regarding cookies on this site
Our website uses cookies for analytical purposes and to give you the best possible experience.
Click on Accept to agree or Preferences to view and choose your cookie settings.
![]() |
Vinod Bange, Taylor Wessing |
The most pressing concerns of the GDPR and the Privacy Shield are the financial responsibilities these laws place on businesses with European customers. This includes penalties of up to 4% of a company’s global revenues if it fails to comply.
In fact, according to a recent Ovum survey entitled ‘Data privacy laws: Cutting the red tape,’ a whopping 52% of respondents think that new data protection regulations will result in fines for their company, while two-thirds expect it to force changes in their strategy in Europe. And when asked about investing in greater data protection capabilities, 55% plan on new training for employees and 53% will prepare by adopting new technologies.
“Getting things wrong, or a breach, under the GDPR will attract far higher penalties than what we have under the current law,” says Bange. “So IT has to pay greater attention to points that were once considered as housekeeping.”New legal skill set
Another fundamental shift is the complex legal nature of the EU’s data privacy laws, especially for IT leaders. “The legal requirements and the IT requirements of data protection are two very different aspects so it’s not easy for the CIO,” warns Jean-Pierre Heymans, founder of Heymans Consulting, a Belgium-based data privacy consultancy.
Bange agrees. “CIOs will have to get their heads around new compliance and requirements sets,” he says. “There’s no way around it; they’re just going to have to do it. The C-suite, in particular, needs to know what these laws will mean in terms of liability, change and budget from a corporate perspective.”
Short of enrolling on a law course, Bange says the smartest way for CIOs to gain a deeper understanding of today’s more stringent laws is to seek the assistance of seasoned law and privacy professionals, and to incorporate their feedback into IT workflows. Says Bange: “IT leaders will be looking towards legal and compliance expertise to embed into their processes, and use it to manage privacy by design and security by design.”
![]() |
Lukas Feiler, Baker & McKenzie |
Appointing a data privacy officer can also go a long way towards satisfying EU regulations. In fact, the GDPR stipulates that multinational companies with more than 250 employees are required to hire or nominate a data privacy officer to oversee data governance. For small businesses with limited funds, Feiler says, “it might be a good option to appoint the CIO as a data protection officer.”
Organizations with deeper pockets, on the other hand, are more likely to hire a dedicated, full-time data protection officer. However, it’s difficult to find a suitable candidate — an individual with a keen understanding of both technology demands and legal requirements. Either way, Feiler says: “Whether you have a legal background or not, it’s necessary for a CIO to learn the rules of the game.”
Turning the EU’s data privacy regulations into a career opportunity also requires CIOs to be more open to collaboration with non-IT entities. “This isn’t just an IT issue anymore,” warns Bange. “Data privacy and complying with the GDPR is not simply about handing things over to your IT manager to deal with. It’s far bigger than that; it requires governance and accountability from the very top.”
For this reason, Bange stresses that it’s critical organizations “gather their C-suite stakeholders together and really wake them up. You’ve got to shout about it and get their attention.”
At the same time, IT leaders, often accustomed to working independently, need to be open to working side by side with business line leaders and pooling their resources. “CIOs cannot treat [EU regulations] as something that the legal department is taking care of because the legal department might not have the necessary technological expertise,” says Feiler. “You really have to bring both [skill sets] to the table.”
Getting the board onboard
Fortunately, for CIOs who take the time to dive into the legal complexities of data privacy rules and collaborate with business line leaders, the rewards are considerable. “IT leaders have already identified data privacy as a very important issue,” says Feiler.
“The good news is that they will now have boardroom-level attention,” he says. “Up until recently, it was often difficult for CIOs to get the necessary budget and the necessary resources for their projects. With this compliance regime in place, it will become significantly easier to communicate the importance of properly implementing and documenting IT processes, and making sure that IT security concerns are taken into account.”
With greater responsibility, though, comes greater risk. “The bad news is,” adds Feiler, “if things go wrong, the consequences are not just a bad headline in the newspapers, but a very, very hefty fine.”
Planning for the new privacy landscape
Luckily, there are steps CIOs can take to raise their corporate profile while reducing the risk of legal and financial exposure. For starters, CIOs need to take a good look at the type of data they’re storing and where. Hybrid infrastructures, corporate mergers, shadow IT – they’re all factors that can scatter data across silos and hinder an IT leader’s ability to know what data they need to protect and why.
“Start putting a data inventory together. Understand where your data is and start looking at your IT infrastructure,” recommends Bange.
Another step in the right direction is deploying innovative technologies. The GDPR dictates that, in the event of a personal data breach, an organization must notify the appropriate authorities within 72 hours of becoming aware of the exposure. That will be a major change in direction for many IT leaders who are accustomed to focusing on breach preventions and damage limitation. Instead, CIOs must focus on putting the right breach detection and incident response solutions in place to ensure quick notification.
“Being able to detect a security breach and then being able to respond to it in an adequate manner is something that absolutely requires technological solutions,” says Feiler. “A network-based intrusion detection system is basically state of the art and should already be deployed in every network.”
And they should be deployed quickly. Once ratified, the GDPR is due to become law by 2018 across all 28 EU member states. But a lengthy timeframe shouldn’t lull CIOs into a false sense of security. Successfully satisfying these new data privacy requirements entails getting as far ahead of the game as possible.
“Familiarize yourself with the requirements of the regulation early on,” advises Feiler. “Many corporations are saying this is still two years down the road, but the time will come when the regulations will suddenly kick in.”
Our website uses cookies for analytical purposes and to give you the best possible experience.
Click on Accept to agree or Preferences to view and choose your cookie settings.