GDPR forces closer cooperation between security and legal divisions
Our expert's opinion
"There was a time where some thought GDPR was only going to be a wave people would surf on. However, today we can state that it is more than that. Companies are now investing in data protection more than ever, for the simple reason that data has never been more important.
Regarding GDPR, some organization hired Data Protection Officers (DPO) that report to the top management on privacy and regulation topics. If the security management of a company is held by the Chief Information Security Officer (CISO), the privacy side is handled by the DPO. CISO's have a heavy knowledge of IT, where DPO’s are more often in the legal department.
Those two department are now linked more than ever with all the Data Protection and GDPR regulations that will no longer be legal and compliance issues only but deeply linked to the IT."
- Yasmina Belataris, Associate Consultant
Privacy Ops: The New Nexus for CISOs & DPOs
No longer can privacy be an isolated function managed by legal or compliance departments with little or no connection to the organization's underlying security technology.
Recent advancements in machine learning and big data analytics have made data more important today than ever before. Companies are now investing heavily in protecting their customers' data; for instance, Facebook has pledged to double its safety and security team to 20,000 people.
Since the introduction of Europe's General Data Protection Regulation (GDPR) in 2018, data protection officers (DPOs) have become the subject of the latest hiring frenzy. Large organizations that are mandated to hire a DPO based on the GDPR's criteria are struggling to find the right person for the job. But how does a DPO fit into the typical security organization?
At the end of the day, a DPO should report directly to top management on all regulation and privacy topics. As such, the perfect candidate must have in-depth knowledge of GDPR and other regulations. Your DPO should also view the responsibilities of GDPR compliance as an opportunity to drive your business forward.
Here is where things become challenging.
Security is led by the chief information security officer (CISO), who oversees regulation and all other security matters. The privacy side is led by the DPO, but this department is traditionally made up of lawyers and legal practitioners who have little knowledge of technology and security. The DPO doesn't have a real connection to the company's technology, and certainly does not have the buying power behind it.
This is true historically as well; the privacy side of operations within an enterprise comes from a legal background, which has been conservative and resistant to change. However, the emergence of regulations such as GDPR has caused a rise of influence in privacy roles, which have started to see growth and an increase in purchasing power. Organizations have also realized the critical need for cross-departmental collaboration and communication.
Today, we have entered a new era of global privacy management. No longer will privacy be an isolated function that can be housed by just legal or compliance. There needs to be a connector somewhere — Privacy Operations — a new and separate group that will serve as the technical connector between the security and privacy teams.
Privacy Ops is much like DevSecOps, wherein security processes take place along with development sprints. And just as security practitioners had to become involved and affect the software life cycle, privacy practitioners today must understand the data life cycle and enforce protection controls throughout the data processing pipelines. In Privacy Ops, we will see a merging of the security and privacy teams, in which the DPOs will leverage the security team's expertise to implement and manage technology in order to simplify regulation adherence.
This change and adaptation to new privacy standards has the potential to positively affect multiple aspects of privacy, business, and security. Privacy or DPO teams can now enhance their in-house impact on the organization and help protect user privacy by adopting technical solutions to be maintained by the privacy operations teams. This allows business digitalization teams to leverage data that is now maintained and governed. Security teams can leverage the power of the new privacy operations teams to enforce privacy regulations, thus allowing security to focus on risk management and prevention.
The impact of hiring data protection professionals and implementing privacy-driven technology is yet to be seen, but it is a necessary step toward minimizing data breaches and keeping our data from falling into the wrong hands.
Source: Dark Reading