Train your teams — From the highest level to the lowest level in the organization, everyone should be aware of the company’s policies for privacy and security.
Review your program on a regular basis — Technology changes, law changes, guidance changes, so it never hurts to review what you have been doing against the latest guidance to see if you are still meeting all the requirements. It could be that you are in perfect order and don’t need to change anything, or maybe some changes are required.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Paul Breitbarth, a privacy lawyer from the Netherlands. In 2016, he joined the Canadian privacy software and research company Nymity, which became part of TrustArc in November 2019. He currently serves as Director, EU Policy and Strategy and is based at TrustArc’s office in The Hague, the Netherlands. As part of the Privacy Intelligence team, Paul contributes to the company’s content development and thought leadership, via papers, webinars, podcasts and public speaking opportunities on a variety of topics, including accountability, the demonstration of compliance and dealing with multiple data protection laws with one single privacy program. Paul also maintains regulator contacts across the EU and beyond. Paul is Senior Visiting Fellow and member of the Advisory Board at Maastricht University’s European Centre on Privacy and Cybersecurity.
Before joining Nymity, Paul served as senior international officer at the Dutch Data Protection Authority. He was an active member of various Article 29 Working Party subgroups, co-authoring opinions on the data protection reform, surveillance, the Privacy Shield and others. In 2015, he organized the International Privacy Conference in Amsterdam. Paul holds a Master of Laws from Maastricht University in the Netherlands.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the Netherlands as an only child and have lived there most of my life. I studied law in Maastricht and afterwards went to work for the Dutch government where I was first an intern in Brussels and then a deputy committee clerk in the Senate where data privacy came into my life. It began with the very first file on my very first day, and many have followed. After three and a half years in the Senate, I moved to the Dutch Data Protection Authority where I was a part of the inspection team for the police department and then later was part of the international team when my commissioner became the Article 29 Working Party chair.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
For me it was that very first file I was given in the Senate — it was the legal debate over how European authorities could capture telephone records data in the wake of the terrorist attacks in Madrid & London in 2004 and 2005. That was for me the first inspiration to pursue a career in the field because it was such an interesting legal debate around what the government is allowed to do with an individual’s data and to what extent do you need to protect the individual from their own government.
Can you share the most interesting story that happened to you since you began this fascinating career?
It was my job interview with Nymity, a data protection company that was acquired by my current employer TrustArc in 2019. It was the earliest job interview I’ve ever had, a 730 a.m. breakfast meeting in an Amsterdam hotel. I had been looking to move on from the Dutch Data Protection Authority for a while and spoke with Terry McQuay whom I knew from past events. He told me he was in my country and had time to meet — so we had breakfast.
We had a great two-hour long conversation over breakfast about what I could do while working for Nymity. At the end of the breakfast, I had to catch the train to another meeting, and it appeared that there were many other privacy professionals who were there for an event and had seen me having breakfast with Terry. Of course they asked me what we had discussed…
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
If it hadn’t been for my commissioner at the Dutch DPA, Jacob Kohnstamm, I probably would not have stayed in data protection this long. He was an inspiration both in looking at the law, but also in always trying to find a solution that is agreeable to all. He gave me lots of opportunities to work on the issues that mattered to me and even to argue with his reasoning if I disagreed, as long as I would always respect his final say.
Are you working on any exciting new projects now? How do you think that will help people?
At TrustArc,I am always working with new laws that need to be interpreted. I try to help companies become compliant and understand their legal requirements while trying to make dealing with privacy issues less complicated. I am also working on some papers that should help privacy professionals and cybersecurity professionals understand what compliance is all about and how they can show they are compliant on an ongoing basis.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Especially during these COVID times, shut down your computer and do something else that makes you happy — whether that is reading a book, walking a dog or maybe cooking a dinner. Do something different than sitting behind the computer all the time.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- Cybersecurity and privacy are coming together more and more as one domain. People are starting to realize that you can’t have one without the other.
- The Cybersecurity industry and the laws are both becoming more mature.
- The public awareness around the importance of cybersecurity and privacy continues to increase.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The main critical threat is not on the horizon, it’s actually already here. It’s the working from home situation that most of us are now dealing with as a result of the global pandemic. Most companies are not prepared for their entire workforces to be working remotely, especially from a security standpoint. A lot of people are using their personal devices that are shared with other family members which can have an impact on a company’s cybersecurity.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The most important tool would be a VPN to ensure that my data is always secure no matter where I am. Additionally, I use a privacy-friendly browser such as Brave, an open-source Chromium based browser that doesn’t allow for tracking.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
That really requires a case-by-case assessment. It is not just about the size of the organization but also the amount and the types of data that it processes. Setting up a security team rather than using over-the-counter solutions should be addressed sooner rather than later.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Probably, the best way to detect if your own data has been leaked somewhere, is if you see a sudden increase in spam, especially in mail accounts where you would not expect such messages. For IT professionals, I think it is important to take a regular look at log files, to see if network activity is coming from unexpected locations, or at unexpected times.Also your network slowing down, or datasets becoming inaccessible when they should be, could be signs of something being amiss.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first order of business is to determine if you have ended the breach. If the breach is in an online database, the easiest way to end the breach is typically to take the database offline. In this situation, it is wise to hire experts to perform a forensic analysis of what is happening or what has happened. Next, it is important to gather all relevant parties (security department, privacy team, and marketing/comms team) because you will need to communicate and work together to get through the breach. Bear in mind that you may have to report a security incident — whether a data breach or not — to one or more regulators within set deadlines.
Finally, it is important to be as open and transparents as possible. Transparency is also the best way to protect your customers. Let them know what is happening and reassure them that you will protect them and their data. Be honest and do not make the mistake of thinking you can keep it under wraps. These things always come to light eventually.
At TrustArc, our main products help organizations comply with these types of laws.They are complex laws with which to deal. At the same time, if you look at most of the privacy regulations around the world, you could argue that a lot of the requirements are common sense in terms of how you should handle personal data of your customers and employees, and that there is a lot of overlap You can therefore leverage compliance efforts made under one law to deal with another
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest problem is when companies do not care about it or view data protection and cybersecurity as one-off projects where you can just tick some boxes. There is no beginning and end; privacy and security are a continuum.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I haven’t yet but I think that cybersecurity or privacy errors have been made and are still being made during this time. We just haven’t seen all of the results or outcomes. For example, the sudden shift to remote work has created many challenges for organizations and I doubt the necessary compliance assessments were conducted along the way. It boils down to “what can be done, what can we afford and what can we rule out.”
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Compliance is more than checking boxes — GDPR is a good example of this — People often think it is as simple as “I’ve implemented all these things so now I’m compliant.”
- Understand your requirements — It is probably more than one privacy and cybersecurity law you are dealing with, so you need to assess what is required from a privacy and cybersecurity perspective in each jurisdiction in which your company operates.
- Accept that mistakes will be made — Even if you have the best privacy and security program in the world, people will make mistakes. Maybe they haven’t had their coffee yet and they send out a morning email with all recipients in CC rather than BCC, or have their laptop or other device stolen during after work drinks. If you have a good program, you will be able to deal with these situations when they arise and move forward.
- Train your teams — From the highest level to the lowest level in the organization, everyone should be aware of the company’s policies for privacy and security.
- Review your program on a regular basis — Technology changes, law changes, guidance changes, so it never hurts to review what you have been doing against the latest guidance to see if you are still meeting all the requirements. It could be that you are in perfect order and don’t need to change anything, or maybe some changes are required.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Start thinking about what you share with whom. People too easily give away their personal information and it ends up in an infinite number of databases with data brokers trying to analyze your actions. If you are more careful with your personal data, it can go a long way.
How can our readers further follow your work online?
Easiest way is to follow my Twitter — @EuroPaulB and of course my weekly Serious Privacy podcast.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!