Evolution of corporate governance under the current cybersecurity paradigm

Abstract

Clive Bixby’s iconic phrase “Data is the new oil” assumes a graver subtext every day. As companies battle it out in the digital economy, they are using every tool available. Big data, Internet of things, web-surfing, social media platform, every ounce of information is being collected, analyzed, and exploited. This has brought forth the bitter realization that “if you are not paying for the product, you are the product”. In these circumstances the protection of the users takes a secondary role in a company’s agenda thus making data privacy laws imperative. The outdated regulations around the world have been treated by companies as a voluntary provision rather than a mandatory law. The advent of GDPR is forcing a change in this dynamic and thrusting accountability on companies that have been fault-free for too long. This fresh set of compliance laws is a work in progress, but a step in the right direction as tech giants are compelled to refocus their priorities toward more ethical goals like consumer protection. This report analyses the governance changes that companies have to undertake in order to implement the law in letter and spirit. We start by identifying, the roles and responsibilities of the newly appointed Data Protection Officer (DPO) followed by the overlaying spectrum of duties between the CISO, CTO and Data Controllers. The biggest GDPR fines to date were studied to scrutinize the mistakes made and the further modifications thus needed.