Share This Article:Share on FacebookTweet about this on TwitterShare on LinkedIn

Thanks to the Snowden Effect, data privacy and security have made it to the global agenda. The European Commission have known this was a key issue back in 1995 when it introduced its Directive 95/46/EC to protect personal data. But now the EC are catching up with the digital age and introducing the European Data Protection Regulation to provide further protections and yes…. penalties.

Whilst the various legislators and businesses hash out the details, one thing is clear for today’s CIO and/or Chief Security Officer (CSO) of companies with 250 employees or greater – you will either hire a Data Protection Officer (DPO) or you’ll become one based on the way the regulation is being drafted.

Even more painful will be those of you who work for multinationals, including companies headquartered in the U.S. That’s why it’s important to take steps today to future-proof your data and that of your customers. In this era of everything moving to the cloud, this can be challenging, but there is a strategic direction you can take to help you achieve this.

Egnyte CEO Vineet Jain sums up this strategy in a few simple words: “The cloud is not enough” and that certainly applies to data protection. In order to realize the dream of the EU’s data protection framework to create a “Digital Single Market”, consumers and businesses need to be able to control where their data is stored, how it’s accessed and who has access to it….and of course, the “right to be forgotten”, a very foreign term for some US companies with no local presence or understanding of the EMEA market. There has to be a way to store and access some data in the cloud, but to also get cloud-enabled access to the data stored on premises. Cloud SaaS vendors also need to provide an option for EU-based organizations to store their data in EU-based data centres to comply with the laws governing these countries.

So what would the resume of a Data Protection Officer look like? Here are the qualities that I believe will be table stakes:

  • ~10 years as either a VP of IT Infrastructure, CIO or CSO
  • 5-7 years working for multinational company, with physical and digital operations happening in multiple countries.
  • Key understanding of EU legislation related to data privacy and protection
  • Experience with global compliance standards such as SOC2, ISO 27001, SSAE-16, FINRA, FISMA, HIPAA, etc.
  • Experience running highly responsive teams to address:
    • Data breaches, ability to notify the ICO (Information Commissioner’s Office) within 24-72 hours
    • Issues related to the confidentiality of information (including listening, tapping, storage, interception, retention, and surveillance of data), treatment of traffic data, spam/unsolicited email, cookies, and virus/malware.
  • A key understanding that if the job isn’t done right that fines could range between 0.5% – 5% of annual turnover OR 500,000 – 1,000,000 euros, depending on which is more.

That last bullet certainly got my attention. Make sure to hire an expert here because going on the cheap for someone with less experience could cost you in fines.

Looking forward to speaking to all of the CIOs attending the event in Wales about this very important topic.

 

security, privacy, EMEA

The original post appeared on the CIO Event blog