"The CEOs, or whoever's running this business, are going to beresponsible for hiring people that can communicate," says PatrickClawson, a veteran of the security industry and chairman and CEO of Lumension Security , a specialist in endpoint management and security. "There are aton of very smart people who get IT security, but they don't havethe ability to make it viral among the employee base. They have tobe passionate about credentials and be good communicators that canwork with the people in the business and the executive team. Thisisn't a role for someone right out of college." Many of the qualified candidates will come out of largeconsultancies like Capgemini and IBM, Clawson says, noting thatorganizations will want to make sure they have a seasonedprofessional because the proposed legislation would have seriousteeth. The European Commission (E.C.), which published a firstdraft of the new data protection legislative package in January,has proposed hefty fines for non-compliance. A provision wouldallow national supervisory authorities to send a warning letter forfirst offenses, but serious violations (like processing sensitivedata without an individual's consent) would allow those supervisoryauthorities to impose penalties of up to $1 million or up to 2percent of a company's global annual turnover. "To be fair, if you're going to put something in place, if therearen't teeth it won't happen," Clawson says. "The most successfulU.S. legislation like HIPAA and PCI have big hairy teeth." The E.C.'s proposed legislative package is intended to bothharmonize the data protection laws across the E.U. member states and update them to address the new technologicalreality (like cloud computing). Currently, data protection in theE.U. falls under the Data Protection Directive, adopted by the E.C.in 1995. As a directive, it provided a list of issues the E.U.member states should address with their own legislation. That lefteach of the 27 E.U. member states to implement their own varyingversions of data protection laws. The new legislation would replacethose laws with a single set of rules that would govern dataprotection across the E.U. One of the new laws would require all private sector companies withmore than 250 employees, all private sector companies whose coreactivities involve regular monitoring of individuals and all publicauthorities to formally appoint a data protection officer (DPO). The Data Protection Officer Role "The data protection officer must be empowered by the organizationto act as an independent assessor of its compliance with dataprotection laws and report to the board of directors in doing so,"say Ulrich B umer and Stephanie Ostermann of the International Law Office , an online legal update service for companies and law firmsworldwide. "The E.U. regulation specifically requires the data protectionofficer to coordinate data protection by design and privacy impactassessment initiatives and to be responsible for data securityinitiatives generally, say B umer and Ostermann.Responsibility for training staff is also mentioned as important.In short, the data protection officer must ensure that his or herorganization has adopted good data governance policies andprocedures." The new legislation would require organizations to demonstrate thatthey have undertaken regular data protection audits and privacyimpact assessments using recognized industry standards, includingdemonstrating that privacy compliance and risk mitigation stepshave been implemented before putting in place new processingsystems and activities. Implications of a Data Protection Officer Staff With such a broad mandate, and severe penalties for noncompliance,Clawson warns that organizations should be prepared not only tohire a DPO, but a staff to help the DPO carry out his or herduties. "The implication is there's a staff behind this person," he says."Right now it looks like they're going to impose a whole bunch ofcontrols that are apparently going to be legislated with a wholebunch of penalties. There's going to be some layer of staff thatgoes with that on top of the technology purchases and thedocumentation required." Data Protection Steps to Take Now The new data protection laws have yet to take final shape, and mostsources agree they won't be implemented any sooner than 2014. ButClawson says that shouldn't stop organizations from beginning theirplanning now. He suggests two steps organizations that do businessin the E.U. can take right now to prepare. "You've got to be watching what's echoing through the chambers in the E.U. and what you're hearing about possible changes in legislation," hesays. "And you should begin looking at the strongest examples ofdata protection laws that currently exist within the E.U., likeGermany and France, and try to measure yourself against those. Ican't imagine it gets much worse than that." Thor Olavsrud covers IT Security, Big Data, Open Source, MicrosoftTools and Servers for CIO.com. Follow Thor on Twitter@ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonlineand on Facebook. Email Thor at Read more about legislation in CIO's Legislation Drilldown. We are high quality suppliers, our products such as China Black Master Batch , Filler Masterbatch for oversee buyer. To know more, please visits Carbon Black Masterbatch.
Related Articles -
China Black Master Batch, Filler Masterbatch,
|