ipopba - stock.adobe.com

Governments continue to eye data privacy, forcing CIOs to adapt

With new data privacy regulations like China's personal data protection law coming down the pike, CIOs need to make privacy and security the central focus of their overall IT strategies.

As data becomes an increasingly powerful currency, governments around the globe are taking steps to regulate how that data is collected, used and stored. That, in turn, has influenced how IT strategy is crafted.

Forrester Research analyst Paul McKay said the uptick in data privacy regulations has only encouraged CIOs to double down on baking privacy and security into their overall IT strategies. CIOs have had years to adapt to data privacy regulations like GDPR, which was adopted in 2016 and fully enacted in 2018, but the goal posts are always moving. China recently enacted a new personal data privacy law taking effect Nov. 1 that will require CIOs operating in that market to ensure their IT strategies meet the new requirements.

In this Q&A, McKay, co-author of the recently released Forrester report "Tech Execs: Take Four Steps to Integrate Cybersecurity and Privacy Into Your Strategy," said having a privacy- and security-forward IT strategy will be key to an organization's success when entering new markets and adhering to new security and data privacy regulations.

How has privacy and security changed for CIOs in the last 10 years?

Paul McKayPaul McKay

Paul McKay: Everything has been pushed online and when that's the case, no responsible CIO can take those kinds of steps without at least ensuring that any security or privacy risks associated with that -- given the increased regulatory oversight that now exists in many countries -- isn't baked into that plan and dealt with in a more collaborative fashion, rather than tack it on at the end as an afterthought. I think that's the change we've seen in the last 10 years or so.

How have data privacy regulations like GDPR changed privacy and security conversations in the C-suite?

McKay: With regulations coming through as a driving factor, it forces the issue onto the table because then you have regulators who might poke their noses into stuff and kick the tires on things if they're not done properly with some of the reputational aspects in terms of fines and trust issues with customers that need to be overcome.

A lot more attention is being paid to cybersecurity because of the various breaches that have happened over the last few years. … There's much more boardroom pressure to make sure all those angles are covered. No one wants to be the C-level executive that's speaking to the press about what happened. Executives want to know, 'Are we spending the right kind of money on security? Is it integrated into everything we're doing? Are we covered?' They are very simple questions, but they point to a number of factors that force you to integrate privacy and security into what you're doing rather than try to tack it on as an afterthought.

China just passed a new data privacy law. At this point, how much does something like that impact a CIO's IT strategy?

McKay: There are certain aspects that tend to come up pretty commonly regardless of the type of regulation. There are a number of requirements that come through these regulations -- things around breach notifications tend to be a common requirement, whether it's related to personal data, or as we have here in Europe, a requirement for critical infrastructure. I think those kinds of things around having an ability to recognize when an event has happened and report it within a reasonably short timeframe are things that CIOs have had to do over the last couple of years anyway. So when a new law comes in a new jurisdiction, what I've seen many global organizations do is look for commonalities like that. They look at where the toughest regulation we have to adhere to is and then make sure they are compliant with the expectation that if anything is passed in another country, it will be equivalent to it or not as strong as it.

The types of things being asked for by regulators -- having a risk management strategy, making sure you have sufficient management involvement in what's going on, boardroom accountability, the ability to recognize and respond to events -- these things are coming up time and time again. So the net new impact from those are promulgated in new jurisdictions and maybe less impactful than it was a couple of years ago.

Organizations try and stay out of politics as much as they can, but to some extent, they have to operate within those systems and avoid doing anything that puts them in the firing lane from the regulators.
Paul McKayPrincipal analyst, Forrester Research

What about the potential impact of China's recently passed data privacy law?

McKay: My expectation is that China's data privacy law will have within it certain provisions that conflict with laws and jurisdictions that maybe global organizations have in other parts of the country. So there's a bit of a complexity that comes into play there. This would be similar in nature to the Hong Kong National Security Law where there's something very specific you have to do from that local jurisdiction to enable yourself to be compliant with the law and be able to operate. I think that's a very tricky geopolitical balancing act for organizations to make because, of course, they have business interests in all these countries. Organizations try and stay out of politics as much as they can, but to some extent, they have to operate within those systems and avoid doing anything that puts them in the firing lane from the regulators. In some of these cases, they're going to have to make decisions that meet one set of regulations but not another -- and that obviously causes some issues.

How will making privacy and security central to an IT strategy help?

McKay: If the IT strategy has been crafted properly, it should always be in support of a business strategy which will say things like we want to be more agile, we want to expand into new markets, we want to launch new products in new markets -- things of that nature. To some extent, the IT projects which enable those business strategies will involve certain inherent security risks. Going into a new market is a great example. If you've already got within your IT strategy some principles around how you enter a new market and some of the technology work you have to do to make that successful, you're going to be much more likely to identify issues earlier in the process where you can do something about it.

Editor's note: Responses have been edited for clarity and brevity.           

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on CIO strategy