Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Law

7/10/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Cisco: GDPR Is About More Than Compliance

Cisco's top privacy official says that the EU's new privacy regulations – GDPR – gives forward-thinking companies an opportunity to excel by building new data management and privacy models.

The high-profile data protection rules in Europe -- talked about for several years and now finally in force for a little more than a month -- could bring about some much-needed changes in privacy and data management policies, according to Cisco's top privacy official.

For a lot of companies, the European Union's much ballyhooed General Data Protection Regulation (GDPR) will be simply an issue of compliance, essentially making sure that they don't open themselves up to the stiff fines they could face by violating the law, Michelle Dennedy, vice president and chief privacy officer at Cisco, told Security Now in a recent interview.

However, for others, the work they did in the months leading up to the GDPR going into effect May 25 to get their data houses in order -- from determining what data they have and where it's located to putting in place new data governance procedures -- gives them the opportunity to innovate on how they manage, protect and, most important, according to Dennedy, curate the data. (See GDPR: SecurityNow's Need-to-Know Guide.)

(Source: Tumisu via Pixabay)

"We have to ensure and document and fireproof even our unused data, so [with] the beginning of GDPR enforcement -- which I think is really the new era of data -- the name of the game is data curation," she said. "By valuing our data and curating it, it goes way beyond governance. We have data that can be, will be and must be curated. We've got consumers -- will they stay awake? I don't know, but today they're awake. Today they recognize that there's a lot going on with governments, there's a lot going on with businesses and, boy, there's a lot of data going everywhere."

The walk-up to GDPR
The GDPR has been a source of concern and activity for businesses since at least April 2016, when EU officials approved the regulation and gave organizations around the word two years to come into compliance. It mandates how companies handle the data they collect from customers, contractors, employees and others and, just as important, gives those people greater control over the use of their personal data. They can demand that companies show how it's being used, have to consent to that use and even that businesses delete all the data if requested.

And the penalties for violating the GDPR are high, up to $24 million or 4% of global revenues, and covers any company doing business with consumers in the EU.

This meant that companies had to know what data they had on who, where the data was located -- not an easy thing in an era of greater mobility, BYOD, the Internet of Things (IOT) and distributed environments. They had to assess everything from GDPR readiness and risk to privacy, map where the data comes from and where it goes, make plans for when an incident happens and classify the data.

Companies that have done all that work now have the chance to capitalize on it, Dennedy said.

"What I'm telling my customers is, 'Not for nothing, but you've spent the last two years doing data inventories. Don't let them get dusty. You have a data inventory, you have a map -- you have a Maurader's Map of goodness and badness -- find out where those footsteps are going,'" she said. "Suddenly you realize, how are you spending your data budget? I guarantee you're overspending. You're doing way too much data for insights, and you're not getting the insights you need because you're not curating the data."

GDPR opportunities
Company executives need to understand that increasing digitization is changing the way data is used and managed and introducing employees with new skill sets who know more about data than those who came before them, according to Dennedy. Narrowing the view of GDPR will cause organizations to lose ground on their competitors. (See GDPR Compliance: Enterprises Have Two Options to Consider.)

"Some companies will simply treat it as compliance table stakes -- 'Let's get through with no fines. Let's keep our heads down. Let's buy the tennis shoes so we can outrun our buddy and not get eaten by the bear.' All that stuff," she said. "In an era of digitization and an era where our gross domestic product is increasingly digital, what is the information knowledge rate? How are we doing deals based on datasets and data capabilities? … You're talking about new tools that need to be built so you can respect borders when you need to and tear them apart when you don't. There's all sorts of cool things that can happen when you don't take a compliance view. If you do take a compliance view, I think that's adorable and we'll probably read about you after you've gone bankrupt eventually."


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

There is a lot of opportunity to serve a fast-changing market and innovate around data. There are "better business models than, 'You give me all your data and I get to profit off of it and you get nothing,'" Dennedy said. "There are better business models than 'Dump, dump, dump, dump data and then I'm going to surmise what I thought I knew about you anyway.'"

Data sources are going to come together and help drive such benefits as personalized medicine, and the key to that will be know where the data is, what it does and its limits are. Worrying only about compliance blocks off many of those avenues. And the world will keep moving in that direction, she noted. Frameworks similar to the GDPR are coming together in such countries as Brazil, Mexico, Canada and Japan, and eventually will make their way to the US. The EU with the GDPR is not an aberration, so businesses will want to continue in that direction.

"We're going to associate good business and good privacy together and show them how to make money, continue to stay out of jail and continue to come up with new products and services," Dennedy said. "There's always got to be some new shiny-objectness to it. That's how we keep this momentum going."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3454
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
CVE-2021-3455
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVE-2021-41150
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
CVE-2021-31378
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
CVE-2021-31379
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...