Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above?

If you answered “all of the above,” you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned a well-intentioned requirement into a dilemma for enterprises, which the law ultimately holds responsible for noncompliance.

The critical challenge for enterprises is not how many data privacy regulations there are. Instead, it’s how to get more clarity on what the regulations require of them. Claiming success is difficult when that finish line is elusive. Here’s how organizations can navigate these challenges.

A Tangled Net of Data Privacy Regulation

In the United States, 35 of 50 states have at least considered data privacy regulation. California, New York, Colorado, Connecticut, Utah and Virginia have all enacted comprehensive consumer data privacy laws —  the common thread between them being the right to access and delete personal information and opt out of the sale of personal information. While most laws are modeled after the California Consumer Privacy Act (CCPA), that regulation is being amended by the new California Privacy Rights Act (CPRA). These amendments will establish a separate state data privacy agency and require data rights requests to include employee data.

Across the Atlantic, the European Union (EU)’s General Data Protection Regulation (GDPR) grapples with its own unique challenges. For example, Ireland’s data privacy board — which serves as Meta’s primary regulator in the EU — determined that Meta violated GDPR. However, it took the regulator more than four years to reach this decision due to disagreement within the EU about how to enforce GDPR. The Irish regulator had initially ruled that Meta did not violate GDPR. However, a board of representatives from all other EU countries overruled it.

So even in the case of a specific regulation, differences in understanding arise. If a single federal data privacy regulation goes into effect in the United States, you can expect similar disagreements over how to implement it.

So what can enterprises do when it comes to dealing with compliance complexity?

Watch the Webinar

Understand the Regulations and How they Apply to You

Every organization needs to assess its situation and work with legal and risk experts to interpret regulations. Knowing which data privacy laws affect you based on your region, industry and type of business is crucial. Also, you need to understand how “passed-down” regulations impact you. These are regulations that your enterprise needs to meet, not because it affects you directly but because it is required of the vendors your technology and processes integrate with. In fact, for many enterprises, these “passed-down” regulations from partners reflect a higher burden than requirements directly from regulatory bodies.

Know Where Your Data is

The next fundamental step in compliance is understanding what type of data you have and where it is located. Just like you cannot secure what you cannot see, you cannot meet compliance if you are unaware of where all your data stores are, how people access them and who is accessing them. Just because you have moved your data to the cloud does not mean it ceases to exist for regulatory compliance. The best practice is finding a solution to help you discover and classify structured and unstructured data on-premise and in the cloud. Also, doing this continuously and automatically takes that burden off the data security team. That allows them to focus on resolving the issue rather than identifying it.

Store the Correct Data

By correct data, we mean storing what business operations require and keeping data necessary to show compliance. This may be logs, metadata or other features that can demonstrate compliance. In many cases, enterprises must retain appropriate audit-related data for up to seven years, depending on the type of regulations. That’s a lot of data for most organizations! Meeting compliance requirements demands showing the auditors that you have a handle on where your data is, how users use it and how to remediate issues as they arise. Various software solutions provide workflows to capture the correct data required for compliance reporting. Many of these solutions will also help you produce that needed report or checklist to show compliance.

Leverage Pre-Built Capabilities to Ease Your Journey

As regulations get more complex and gaining visibility into data stores gets more challenging, you should pay close attention to your systems. It is essential to have a compliance and data security platform that gives you as much pre-built automated and integrated capability as possible. That will help you with speed, time to value and ease of your compliance journey. Look for capabilities such as out-of-the-box compliance templates and workflows that can be customized based on your needs. You should consider integrating these tools with your ticketing systems or the security operations center so that automation can take the burden off your security specialists. The right technology and integrated toolset give you a solid footing for your compliance journey.

Would you like to learn more about data security and privacy compliance? Watch this webinar with Leslie Wiggins, Data Security Product Management Program Director at IBM Security Business Unit, and Christopher Steffen, Managing Research Director for Information Security at Enterprise Management Associates (EMA).

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…