SearchCIO staff caught up with Xerox Corp. CISO Alissa Johnson at the recent Gartner Symposium in Orlando, Fla. to get her take on the intersection of privacy and cybersecurity and how the European Union's General Data Protection Regulation (GDPR) will influence data privacy protection in the United States.
Johnson cited the rigidity and specificity of cybersecurity versus the subjectivity and broadness of privacy as a major source of conflict between the two areas. The GDPR's May 2018 rollout will further muddy the waters of enterprise data privacy protection, forcing U.S. companies to take a hard look at their strategies, she added.
Editor's note: The following interview has been edited for clarity and length.
What is the conflict between privacy and cybersecurity?
Alissa Johnson: I think the conflict is that there are hard, rigid lines for cybersecurity; we have specific security controls we know about. Privacy is more subjective. We may have differing opinions on what's private or what we want to keep private and what we don't. I think that is where the conflict lies in trying to really understand the evolution of privacy.
As the Millennials take over and the younger generations take over, that evolution of privacy is going to continue to either be a little more gray or they may look at it in terms of, "I want to make sure that my data is used in the way that it should be used or in the way that I've said for it to be used."
With cybersecurity we know the controls and we know the things we have to do; there's a checklist. We know we have to anticipate threats. It's so hard, fast and rigid, whereas the privacy piece is really broad and really moving, and it's jelling in terms of our own common understanding. So I think that's where the conflict takes place.
How will the EU's GDPR, which goes live next year, affect the privacy protection Americans will demand?
Johnson: I think it is a unique perspective to data privacy to see how GDPR is going to affect us, even though we are now in a place where we are responsible for data. By "we" I mean Fortune 500 companies or those global companies that work across the borders. We have a certain level of responsibility for data that belongs to citizens of the European Union. Those citizens have the right to say, "I want my data to be used for this purpose and only for this purpose."
I think when we start granting those protections to citizens of other countries, we're going to take an internal look at ourselves and say, "Well, wait a minute. I want that same level of protection for my own data. I want to be able to say, 'My data is going to be used for this and this only and if another company wants to use it or the same company wants to use it for something else, they need to ask me or notify me and I will grant that type of permission.'" Right now, I think there will be a gray area starting in May of 2018. We'll see a space where we're doing things for people from other countries because of their rules and regulations that we don't even grant for ourselves. It'll definitely make us take a hard look at global data privacy and not just from a country or union perspective.