Companies today are more interconnected than ever before, this has placed cyber security at the core of sustainable business models. Now, technical and legal departments are more involved in driving growth with the business than ever before.
Darine Fayed, Head of Legal and Data Protection Officer (DPO) at Mailjet, has successfully led a data protection and security transformation program in order to tackle the legal challenges related to the General Data Protection Regulation (GDPR). All the effort, time and money invested in cyber security and data protection allowed her company to grow its business with minimal risk. In fact, today, under Darine’s direction, Mailjet is accredited by AFNOR Certification as being GDPR compliant, adding to their ISO 27001 certification already obtained.
“After obtaining my law degree and working as a corporate attorney in the United States, I moved to France to continue on the same track. I naturally shifted toward digital and IT topics, working on licensing and software agreements for my law firm’s clients.
After over a decade in corporate law, I became Head of Legal, responsible for risk management at group level, at Mailjet, Europe’s leading email service provider. With the arrival of the EU’s new General Data Protection Regulation in 2016, most companies were obliged to implement actions to comply with the upcoming regulation. One of these actions was the appointment of a DPO. Due to my position and digital experience at the time, I was asked to manage the data privacy obligations and lead the transformation across the business, legal and IT teams as Mailjet’s Data Protection Officer. One of my objectives was achieving GDPR compliance through close collaboration with IT teams.
It took Mailjet over one year to become fully compliant with the GDPR’s strict requirements; one year during which I discovered new aspects of cyber security and learned about data protection challenges.
Simultaneously, I also advocated for legal tech (technology at the service of the law), aiming to combine digital and legal endeavours in companies. Specifically, I worked on including cyber security considerations in the legal yearly goals.”
Darine strongly believes in security by default. Every decision in a business process must be taken with security in mind, particularly when personal data is involved. To do so, Darine describes this industry as follows:
Cyber security is awareness
Because it affects every employee in a company, Darine argues that cyber security is everyone’s business. The process starts with internal training and building awareness among Business, Marketing, HR and IT teams. Once there is a notable shift in the corporate mind-set, people start to see security not as a burden but as a foundation to business. Darine explains how, when working on new features in a platform or a system, a company’s security awareness improves quality and customer satisfaction:
“Product developers now ask the right questions: How do I make this product secure? How will data be collected or processed in this new feature? What system or measures do I have to put in place in order to secure and restrict the access to this feature?”
Cyber security is top-down
As previous projects carried out by Mailjet’s technical teams received pushback from the business, Darine believes that the ownership of IT security inside her company has shifted to the top: “Our CEO has driven the GDPR compliance initiatives that provided the necessary support to carry out the transformation and convince people who were still resistant to change.” Once senior management understands the importance and defines the objectives of the project, it becomes easier to get everyone on board to pursue the same vision.
Cyber security is a team effort
When we talk about team effort, we tend to view only the internal organization teams. A cyber security project can only succeed by involving all the individuals connected to a company. A company is an ecosystem of employees, partners, suppliers, clients and providers. With the GDPR, companies do not just comply with the regulation, but learn who their partners are and how to work with them:
“We had to terminate some contracts with our providers that didn’t provide the level of security that we needed. Each company needs to surround itself with providers for whom cyber security and data protection is a common objective. Indeed cyber security can become competitive advantage when the core business of a company collaborates with third parties and clients.”
Cyber security starts with legal considerations
In cyber security, people that understand applicable laws and regulations must be in charge of legal activities. The GDPR is the perfect example of a regulation that took businesses by storm. Organisations will now be put out of business if they do not have cyber security embedded within their DNA. As Darine explains, a legal department’s objective is to ensure minimal risk for the company, including cyber risk; this must be leveraged in security and privacy efforts:
“With all my previous experience in law firms, it was more natural for me to use my legal logic to manage GDPR compliance projects. I was able to interpret the regulation that allowed me to collaborate with the CTO on this journey. The translation from the legal compliance of a system to IT actions has been very interesting and rewarding for me.”
When reflecting on her career and how she was able to apply her legal background to cyber security challenges, Darine highlights the importance of continuous learning and how it has helped her deal with new situations:
“No matter if it is your goal to make cyber security your career, or if you are just curious as to how your data is processed, or even if you just want to know how to make your password a little stronger, it’s important to be deeply invested in an evolving subject like data protection. It’s no longer only clients’ concerns, but individuals’ concerns that can be leveraged as learning opportunities.”