Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above?
If you answered “all of the above,” you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned a well-intentioned requirement into a dilemma for enterprises, which the law ultimately holds responsible for noncompliance.
The critical challenge for enterprises is not how many data privacy regulations there are. Instead, it’s how to get more clarity on what the regulations require of them. Claiming success is difficult when that finish line is elusive. Here’s how organizations can navigate these challenges.
A tangled net of data privacy regulation
In the United States, 35 of 50 states have at least considered data privacy regulation. California, New York, Colorado, Connecticut, Utah and Virginia have all enacted comprehensive consumer data privacy laws — the common thread between them being the right to access and delete personal information and opt out of the sale of personal information. While most laws are modeled after the California Consumer Privacy Act (CCPA), that regulation is being amended by the new California Privacy Rights Act (CPRA). These amendments will establish a separate state data privacy agency and require data rights requests to include employee data.
Across the Atlantic, the European Union (EU)’s General Data Protection Regulation (GDPR) grapples with its own unique challenges. For example, Ireland’s data privacy board — which serves as Meta’s primary regulator in the EU — determined that Meta violated GDPR. However, it took the regulator more than four years to reach this decision due to disagreement within the EU about how to enforce GDPR. The Irish regulator had initially ruled that Meta did not violate GDPR. However, a board of representatives from all other EU countries overruled it.
So even in the case of a specific regulation, differences in understanding arise. If a single federal data privacy regulation goes into effect in the United States, you can expect similar disagreements over how to implement it.
So what can enterprises do when it comes to dealing with compliance complexity?
Watch the Webinar
Understand the regulations and how they apply to you
Every organization needs to assess its situation and work with legal and risk experts to interpret regulations. Knowing which data privacy laws affect you based on your region, industry and type of business is crucial. Also, you need to understand how “passed-down” regulations impact you. These are regulations that your enterprise needs to meet, not because it affects you directly but because it is required of the vendors your technology and processes integrate with. In fact, for many enterprises, these “passed-down” regulations from partners reflect a higher burden than requirements directly from regulatory bodies.
Know where your data is
The next fundamental step in compliance is understanding what type of data you have and where it is located. Just like you cannot secure what you cannot see, you cannot meet compliance if you are unaware of where all your data stores are, how people access them and who is accessing them. Just because you have moved your data to the cloud does not mean it ceases to exist for regulatory compliance. The best practice is finding a solution to help you discover and classify structured and unstructured data on-premise and in the cloud. Also, doing this continuously and automatically takes that burden off the data security team. That allows them to focus on resolving the issue rather than identifying it.
Store the correct data
By correct data, we mean storing what business operations require and keeping data necessary to show compliance. This may be logs, metadata or other features that can demonstrate compliance. In many cases, enterprises must retain appropriate audit-related data for up to seven years, depending on the type of regulations. That’s a lot of data for most organizations! Meeting compliance requirements demands showing the auditors that you have a handle on where your data is, how users use it and how to remediate issues as they arise. Various software solutions provide workflows to capture the correct data required for compliance reporting. Many of these solutions will also help you produce that needed report or checklist to show compliance.
Leverage pre-built capabilities to ease your journey
As regulations get more complex and gaining visibility into data stores gets more challenging, you should pay close attention to your systems. It is essential to have a compliance and data security platform that gives you as much pre-built automated and integrated capability as possible. That will help you with speed, time to value and ease of your compliance journey. Look for capabilities such as out-of-the-box compliance templates and workflows that can be customized based on your needs. You should consider integrating these tools with your ticketing systems or the security operations center so that automation can take the burden off your security specialists. The right technology and integrated toolset give you a solid footing for your compliance journey.
Would you like to learn more about data security and privacy compliance? Watch this webinar with Leslie Wiggins, Data Security Product Management Program Director at IBM Security Business Unit, and Christopher Steffen, Managing Research Director for Information Security at Enterprise Management Associates (EMA).