We had the opportunity to interview Julien Legrand who is a seasoned information security professional passionate about technology and cyber security with a particular focus on data protection, risk management, penetration testing, and cryptography. In this interview, Julien offers his perspectives on ongoing compliance challenges for organisations with respect to the GDPR and shares practical tips on how we can protect our data and privacy while using our beloved mobile devices.

1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Julien? How did you venture into the cyber security world?

I have always been interested in technology since I was able to have my first computer as a teenager. Thanks to a mandatory internship during my high school years, I was able to go into a data center and see all these server bais, it was the click! Thanks, Dad.

Afterward, I continued my studies in computer science, cybersecurity and cryptography, and my career was all mapped out in this domain! I would characterize myself as passionate, determined, and dedicated to cybersecurity and new technology, I still need to learn.

I held the security and data privacy lead position in a fintech company and previously served as an information security and technical expert in international financial service in France, Czech Republic, and Hong Kong.

I am also a regular speaker at external conferences and a technology writer for international newspapers on a variety of technology and cybersecurity topics.

Today my work is focused on being responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected for international organizations.

2. One of the areas you are passionate about is data protection. In your opinion, do strict data protection regulations and innovations contradict each other?

Strict data protection regulations contradict firm innovation. Companies exploit data to innovate new operational models and optimize processes, services, products. On the other hand, personal information can potentially conflict with employee or consumer privacy needs, often causing complex challenges for an enterprise. In this case, data protection regulations define rules stipulating what companies can legally do with collected data. Also, the rules stipulate mandatory data protection controls, policies, and procedures.

That said, data protection regulations and privacy perceptions vary across regions. For example, Europe has stricter regulations than the US concerning what constitutes personal information, who to notify when a data breach occurs, and conditions for collecting and processing personal data. As such, companies in regions with stricter data regulations are disadvantaged over those with lax rules. In addition, strict regulations require higher compliance costs, sapping resources that would otherwise be used to foster innovation and competitiveness.

3. How would you summarise the ongoing compliance challenges for organisations with respect to the GDPR?

One of the most significant GDPR compliance challenges is consent for collecting, processing, and storing data. The regulation requires organizations to prove they have consent to collect and use data belonging to an EU citizen. Furthermore, the consent must be recorded in an auditable form and must be easy for data owners to withdraw at any time.

Also, right to data erasure is a challenge for many companies. Requests for data erasure must be completed within a reasonable time. Therefore, organizations need an efficient and rapid method for processing data erasure requests and ensure they are implemented across all networks, databases, repositories, and systems.

In addition, GDPR requires organizations to get compliance assurance from all third parties. Essentially, they must prove that third-party partners apply the same data protection standards as the company they are in business with. For companies with large amounts of personal data, getting compliance assurance from all third parties can be challenging.

4. What are some practical tips about protecting our data and privacy while using our beloved mobile devices?

The most popular tip is creating a passcode to secure data and user privacy in mobile devices. Only the user should have access to the passcode to prevent unauthorized access. Also, the passcode should be unique and hard to guess.

Moreover, users should update their mobile devices frequently with the latest operating systems, software programs, and security patches. Consistent updates protect user data and privacy by mitigating exploitable vulnerabilities that can cause a data breach.

However, all mobile devices can still be hacked or stolen, causing data loss and privacy violations.  Therefore, to avoid data loss, creating backups for all mobile devices is a recommended practice. Backups permit quick restoration of affected data files. With hackers using attack techniques like rogue access point attacks, mobile devices users should avoid connecting to open Wi-Fi networks. For example, attackers can hack public Wi-Fi networks to intercept communication from all connected mobile devices.

5. How do you stay up to date with industry news and updates regarding data protection and cyber security?

The globe is now at an information age where it is possible to access data protection updates and industry news from anywhere. Closely following cybersecurity professionals can help companies stay current on the latest data protection and cybersecurity news. For example, subscribing to a newsletter from a reputable cybersecurity organization or attending annual conferences are commonly used methods.

Also, social media is an excellent source for breaking news regarding data protection and cybersecurity. Although social media platforms should not be used as a primary source of data protection news, specific hashtags are a rich source of real-time cybersecurity and data protection news.

Lastly, a compliance subject matter expert can provide trusted guidance on technology, industry, or region. For example, dedicated experts on specific data protection requirements, such as GDPR requirements, enable businesses to keep track of emerging laws requiring compliance. In addition, subject matter experts are always updated on the most recent industry news regarding data protection.

6. Lastly, what is the single most important data protection issue you would like to see solved in the next couple of years?

The single most data protection issue I would like solved in the future is transparency and accountability. For many regulations, including the GDPR, companies must provide understandable information regarding the collected data and analyzed data. The information should also notify data owners of the purpose of using the data, whom it might be shared, and how long the data will be retained.

However, to demonstrate accountability and transparency in the processing and securing sensitive data, companies must maintain various data protection policies and procedures. Among others, they include data processing/usage policies, policies for handling and responding to individuals’ data rights, data retention or destruction policies, and policies for assessing data protection measures.

For companies dealing with huge swathes of personal data, proving data protection accountability and transparency is an uphill task. Therefore, relevant regulatory bodies need to look into viable solutions regarding how organizations can prove their ability to protect data.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.