Where are companies in their approach to the new European regulation?
At this point, people want to get a grasp of what's going on and to understand the stakes. We are still far from implementing the new rules. A lot of companies haven't designated anyone to protect personal data. Our teams are working with legal departments, HR (who are involved because of employee data), and sometimes CISOs. But the implementation of the European regulation has to be dealt with as a global company issue.
What points should we focus on?
It's important to be familiar with the current regulatory framework and its limits because it helps to understand why the regulation was adopted. The aim of the new regulation is to harmonise and simplify procedures. The establishment of the One-Stop Shop gives processing officers a single reference authority for all their activities in Europe. Still, the final text isn't necessarily very clear, which is why it's important for DPOs to have a solid legal background. It's not enough just to have technical knowledge or to be able to deal with compliance issues.
What changes for CISOs?
The way databases are managed and the concept of Privacy by Design which means including security much further upstream; these issues mean that CISOs will have to work more with the DPO and the legal department. A concerted approach is needed. Plus, when subcontractors take more direct responsibility, their own CISOs will be consulted more. As a general rule, CISOs will be more involved. This will help them sell security.
And for companies overall?
It's not rare that when inventorying their data processing, companies discover processes whose scope they weren't aware of. They can clean up their databases, which will help them better understand and better manage risk. Good database management becomes a benchmark for company value. All organisations must realise that this is an important subject. Failure to understand these problems will become a handicap.