The GDPR is not just about Security, but it has been dominating the life of many CISOs since last year. What does that mean in practice for the CISO? and why would a CISO be worried?
GDPR is very emphatically about managing privacy with the interests of the data subjects at heart. It is not about encouraging lazy people to sign away their rights.
The bottom line, I think, is that (regardless of GDPR and its jurisdiction) a mutable company can’t afford to have a breakdown of trust with its customers and other stakeholders – as Facebook is discovering. GDPR may simply be a catalyst for bringing data-related trust issues to the surface.
GDPR is overlay talked about, most of the discussion being around internalised processes and actions. An important part of reducing GDPR threats is to ratify your up and down stream supply chains, and to make sure that cloud contracts and partnerships are documented and in line with your own GDPR compliance.