On May 21st, IT One will organize a new edition of ISD, where several experts will share their expertise on the topic of cybersecurity. We met with Myriam Djerouni (CISO, Luxith), who will be one of the keynote speakers, to discuss the impact of the GDPR regulation.

What have been the main impacts of the regulation since its implementation last May?

GDPR has raised the awareness regarding confidentiality of data of citizens, customers as well as employees, data privacy in general.

The mindset regarding the handling of personal data has changed in positive way (maybe it is also driven by the fear of huge penalties). A direct consequence is a clean up of legacy system and data that companies keep “just in case”.

On one hand, it brings positive impacts as explained above, on the other hand it can see sometimes cumbersome for the project implementation. In fact, the “privacy by design” and “data minimization” are not new concepts but with the GDPR they become legal requirements, companies need to implement them.  

But it is the first year, so we need time to change habits and have some automatism.

 

How did companies first react to it?

First, they have panicked ;-)

Then after being contacted by full of advertising related to GDPR, they adopted a pragmatic way:

- Perform an inventory of processes in order to identify processes handling personal data

- Based on this inventory, controls have been defined to protect properly data

The first step is to have a clear and comprehensive view of data: what kind of data, where stored and how managed them.

 

How has GPDR reinforced the position of Europe as a cybersecurity leader?

The application of GDPR is also outside the European border, it has a worldwide impact, even the Giants of the web must take position regarding the GDPR and comply with it.

In fact, any company based within or outside of Europe need to comply with GDPR to process personal data of EU citizens.

Thanks to GDPR, data privacy became an important concern for everyone: citizen (they know that their data belongs to them), companies and states.

For example: California passes a privacy law (California Consumer Privacy Act) which be applicable in January 2020, is quite similar as GDPR in idée to protect the consumer and bring them transparency about personal data collected by companies.

 

What are the next steps in Europe when it comes to data privacy and cybersecurity regulation in general?

In fact, Cybersecurity is now a part of the day-to-day basis of citizen (we are more and more connected with smartphone, social media and IoT), companies as well as State are also more and more interconnected, that why it’s important to define rules to avoid abuse and protect data and assets.

Several initiatives to enforce the cybersecurity and enforce data privacy have already emerged:

- NIS - Directive on Security of Network and Information Systems adopted on 6th of July 2016. The purpose is to enhance the security level of EU critical infrastructure. It introduces the notion of operators of essential services (like Energy, Transport, Health, Water, banks) and digital service providers (like Cloud provider). They are requested to implement security measures and must notify relevant security incident. The last point improves the collaboration of EU’s CERT (Computer emergency response team). Like GDPR, a non-compliance can result to penalties defined by each states.

- Cybersecurity Act provides a framework for European Cybersecurity Certificates for products, processes and services like Internet of Things devices and critical infrastructure.

- A new EU regulation is under discussion to prevent the dissemination of terrorist content online. 

 

Retrouvez Myriam Djerouni lors de l'ISD le 21 Mai 2019 sur la table ronde "Highlights from a GDPR focused year".


Publié le 17 avril 2019