What CEOs should know about privacy. (Here's one big thing: GDPR will affect you.)
The European Union's General Data Protection Regulation (GDPR) goes into full effect in May 2018. The EU has empowered itself to regulate any business, anywhere in the world, that stores, transmits, or processes data that can directly or indirectly identify a European subject. The regulation's reach won't be confined to enterprises in Europe, or even to enterprises that do business in Europe. Penalties can amount to up to 4% of business's global revenue. It's safe to say that few organizations even in Europe are prepared for the reach and scope of GDPR.
SINET's panel, "What Every CEO Needs to Know About Managing Privacy Risk," took up the implications of the GDPR. Sholem Prasow (Founding Director, Insight Management) moderated a discussion among Mike Antico (Chief Information Security Officer, Santander Bank), Dan Crisp (Chief Technology Risk Officer, BNY Mellon), Cam Kerry (Senior Counsel, Sidley), Lisa Markey (Chief Information Security Officer, Shearman & Sterling), and Zoe Strickland (Managing Director, Global Chief Privacy Officer, Compliance, JP Morgan Chase).
Prasow presented (at some length and in considerable detail, perhaps as befits a regulation as long, complex, and aggressive as GDPR) an extraordinarily bleak picture of the GDPR-driven future. GDPR is open-ended, and it will exact significant penalties. To take just one aspect of its strictures, the regulation requires "unambiguous consent" from the natural person whose data are affected. In Prasow's considered view, such consent must be obtained for each particular activity, for every datum, for all transfers. Essentially he presented a picture of an intrusive, punitive, and unworkable process. Perhaps it will be softened into more aspiration than enforcement, and various EU representatives have sought to reassure businesses that things won't actually be as bad as their close-reading of the regulation may have led them to believe, but Prasow's account of GDPR amounted to Katie-bar-the-door.
The panelists were realistic, but a bit more sanguine. Kerry pointed out that the first things CEOs need to know is that only eleven months remain to set your systems up for compliance with GDPR, and that there were indeed steps a business could and should take. Crisp called GDPR preparation "heavy lifting," but believed that the steps toward preparation were at least relatively clear, even given the challenges involved in overcoming "cultural issues." The first step is self-awareness, coming to understand the data one has. Crisp didn't underestimate the difficulty of this task: "Data lakes start small, but they grow, and often without reference data." Antico joined Crisp in stressing the importance of a sound, comprehensive data inventory.
Strickland thought that banks were perhaps better prepared than they might believe, as GDPR aligns itself well with what banks call the "three lines of defense." Another class of business the regulations will heavily affect are legal practices. Large law firms, Markey noted, are inherently processors of personal data, and that privacy has two sides, the legal and the operational. She cautioned against letting "technology carts lead operational horses," and, like Strickland, she saw a number of the requirements as familiar ones.
Kerry, at the close of the discussion, summed up by observing that GDPR had made privacy a whole-of-organization issue.
Those wishing to swot through the General Data Protection Regulation may do so here.