Livestreaming on Wednesday May 18, PrivSec Focus: Enterprise Risk brings over 20 thought leaders and subject matter experts together to discuss how businesses can become more robust as they navigate complex threat landscapes.
Jose Belo heads data privacy at AI firm, Valuer.ai, and sits on the European Advisory Board of the International Association of Privacy Professionals (IAPP). He also holds a Certificate in Law & Technology from the University of California (Berkeley), centred on US Intellectual Property and Privacy.
Exclusively at PrivSec Focus: Enterprise Risk, Jose will be lending his views to a panel debate on data breach management policy – a crucial component in any organisation’s data breach prevention and response programme.
The session will bring viewers up to speed with all facets of data breach management policy, from detection and notification to mitigation and review stages.
We spoke with Jose about his career pathway to date, and to learn more about this fundamental layer of corporate resilience.
Could you outline your career pathway so far?
I started in privacy from a law firm perspective. However, I became a bit frustrated with my own lack of understanding on how the GDPR really applies to companies. That led me to leave law firms and start working on compliance. You cannot protect data if you don’t know how to protect data.
After working in Luxembourg and London in the financial sector, I came to Copenhagen for a new challenge: AI and data protection. I have been working at Valuer.ai for over a year now, and still there are processing activities which I have some difficulty in mapping, even though the GDPR does apply well in most cases.
Why is it more important than ever to have a robust data breach management policy?
A good cybersecurity incident response (CSIR) and data breach management (DBM) policy are essential to an organisation. They each, in their own way, allow you to be prepared for the response you have to provide to contain and recover from each security incident and resume normal business operations. They also allow you to notify both data subject and the supervisory authorities, if there is a need to it.
A solid CSIR policy that matches your particular company, can be operationalised through a CSIR plan, and the SOPs that make them almost like a checklist. A robust data breach management policy is just that: preparing yourself for a worst-case scenario.
What are the key elements of a robust data breach management policy?
A robust DBM policy involves:
- Detection: self-detection or third-party detection
- Qualification: is it a security incident or a false positive?
- Investigation: what happened and when? What went wrong?
- Containment: what do we have to do stop the security incident from spreading further?
- Recovery: what can we do to restore credibility to the framework?
- Post-mortem: lessons learned and what could we do better?).
Each of these steps need precise SOPs, training and awareness, so that when things go wrong, you know that you and your team know exactly what to do.
What are the key challenges that organisations face as they bid to develop their data breach management policies?
For me, it’s that you can never predict all scenarios and prepare for them before-hand. A good data breach management plan takes this awareness into account and has a scope wide enough to handle new attacks and new ways of gaining access to your systems.
But the key challenge, for me, is that no matter how good your CSIR plan is, it’s only as good as an employee sitting in front of a desk being asked to click a link and thinking on what to do next.
Also on the panel:
- James Drury-Smith, Partner, DWF Law
- Sandy Silk, Director, Information Security Education & Consulting, Harvard University
- Caro Robson, MBA, LLM, FIP, Senior Consultant Legal Advisor, Data Protection & Technology, Milieu Consulting
- Scott A. Warren, Partner, Squire Patton Boggs
Session time: 15:10-16:00 PM BST
Date: Wednesday 18th May 2022
Related events picked for you
PrivSec World Forum
Park Plaza Westminster Bridge, London: 7-8 June 2022
PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe series.
PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.
The event is a must-attend for data protection, privacy and security professionals who are keen to network, learn more, discuss and add expertise to how these sectors are interconnected.