Data Protection in Québec, Local Experts Voice Their Opinion (Part 1)
In this series of blog posts, I will relay information I collected from interviewing some of the most prominent leaders on data security and privacy in Québec. These experts have different backgrounds, expertise, and job titles. However, they all provided insightful thoughts on data protection. With the data protection and privacy laws getting more and more prevalent and stringent, practitioners and leaders may have a hard time focusing on what truly matters. I wanted to write this series to provide value to colleagues in the industry. At the end of the day, it’s always good to hear what others are doing and, more specifically, leaders in the domain. Hopefully this series provides ideas that can lead to the development of better policies and practices in your respective organizations.
For the first round of this series, I have had the privilege to discuss with Jean-Luc Nicholson, a GRC Program Manager at Pleo and Gulshan Kisoona, CISO at Air Transat.
When speaking with Jean-Luc, it’s clear that he’s passionate about security and compliance. His broad set of skills and industry experience transpired in his answers. I asked him what was the most common confidentiality incident he’d seen, he said that it was usually employees just playing with data. “Just because they are authorized to access it, doesn’t mean they can do whatever they want with it. This tends to be the most frustrating and common incident I see on a daily basis”.
As a follow-up, I asked him what control he recommends implementing, “Data mapping”, he answered without hesitation. “It’s hard to implement and monitor controls when no one knows what we have, where we have it, and how we’re keeping it. Taking the time to properly document a data inventory and maintaining it saves a lot of hassle down the line”. Gulshan, known for his impressive experience in the field, further added that “it’s rarely about specific controls but rather about the scope of them”. He emphasized that due to the sheer amount of information, systems and applications, there’s always the risk of a control having blind spots.
As we know, it is now mandatory to have a Data Protection Officer (DPO) for most organizations operating in Québec. So, what would make a good DPO? Jean-Luc had a very rational opinion on the topic, “It’s all in the communication skills. A good privacy professional needs to be good at communicating why we need to protect data. If employees don’t care or don’t see the value, they won’t bother to respect the controls and directives we put into place, or they will bypass them if they think they are needlessly restrictive. This also goes the other way: it’s important to be a good listener and read between the lines. I’ve picked up on a lot of accidental violations and bad habits by simply talking to colleagues and understanding what it is they are actually doing. No one is going to tell you, “I’m violating GDPR”. You kind of have to figure that out yourself”. Gulshan added that the “DPO should integrate closely with business units to understand their data needs to devise a strategy to ensure that this data can be used for decision-making”.
As departing words, both Gulshan and Jean-Luc mentioned that culture can be the biggest blocker or the biggest enabler. Having security and privacy teams work hand-in-hand to protect data is a must. Compliance cannot be enforced without the proper tech, and tech without compliance has no brain.
