Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above?

If you answered “all of the above,” you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned a well-intentioned requirement into a dilemma for enterprises, which the law ultimately holds responsible for noncompliance.

The critical challenge for enterprises is not how many data privacy regulations there are. Instead, it’s how to get more clarity on what the regulations require of them. Claiming success is difficult when that finish line is elusive. Here’s how organizations can navigate these challenges.

A tangled net of data privacy regulation

In the United States, 35 of 50 states have at least considered data privacy regulation. California, New York, Colorado, Connecticut, Utah and Virginia have all enacted comprehensive consumer data privacy laws —  the common thread between them being the right to access and delete personal information and opt out of the sale of personal information. While most laws are modeled after the California Consumer Privacy Act (CCPA), that regulation is being amended by the new California Privacy Rights Act (CPRA). These amendments will establish a separate state data privacy agency and require data rights requests to include employee data.

Across the Atlantic, the European Union (EU)’s General Data Protection Regulation (GDPR) grapples with its own unique challenges. For example, Ireland’s data privacy board — which serves as Meta’s primary regulator in the EU — determined that Meta violated GDPR. However, it took the regulator more than four years to reach this decision due to disagreement within the EU about how to enforce GDPR. The Irish regulator had initially ruled that Meta did not violate GDPR. However, a board of representatives from all other EU countries overruled it.

So even in the case of a specific regulation, differences in understanding arise. If a single federal data privacy regulation goes into effect in the United States, you can expect similar disagreements over how to implement it.

So what can enterprises do when it comes to dealing with compliance complexity?

Watch the Webinar

Understand the regulations and how they apply to you

Every organization needs to assess its situation and work with legal and risk experts to interpret regulations. Knowing which data privacy laws affect you based on your region, industry and type of business is crucial. Also, you need to understand how “passed-down” regulations impact you. These are regulations that your enterprise needs to meet, not because it affects you directly but because it is required of the vendors your technology and processes integrate with. In fact, for many enterprises, these “passed-down” regulations from partners reflect a higher burden than requirements directly from regulatory bodies.

Know where your data is

The next fundamental step in compliance is understanding what type of data you have and where it is located. Just like you cannot secure what you cannot see, you cannot meet compliance if you are unaware of where all your data stores are, how people access them and who is accessing them. Just because you have moved your data to the cloud does not mean it ceases to exist for regulatory compliance. The best practice is finding a solution to help you discover and classify structured and unstructured data on-premise and in the cloud. Also, doing this continuously and automatically takes that burden off the data security team. That allows them to focus on resolving the issue rather than identifying it.

Store the correct data

By correct data, we mean storing what business operations require and keeping data necessary to show compliance. This may be logs, metadata or other features that can demonstrate compliance. In many cases, enterprises must retain appropriate audit-related data for up to seven years, depending on the type of regulations. That’s a lot of data for most organizations! Meeting compliance requirements demands showing the auditors that you have a handle on where your data is, how users use it and how to remediate issues as they arise. Various software solutions provide workflows to capture the correct data required for compliance reporting. Many of these solutions will also help you produce that needed report or checklist to show compliance.

Leverage pre-built capabilities to ease your journey

As regulations get more complex and gaining visibility into data stores gets more challenging, you should pay close attention to your systems. It is essential to have a compliance and data security platform that gives you as much pre-built automated and integrated capability as possible. That will help you with speed, time to value and ease of your compliance journey. Look for capabilities such as out-of-the-box compliance templates and workflows that can be customized based on your needs. You should consider integrating these tools with your ticketing systems or the security operations center so that automation can take the burden off your security specialists. The right technology and integrated toolset give you a solid footing for your compliance journey.

Would you like to learn more about data security and privacy compliance? Watch this webinar with Leslie Wiggins, Data Security Product Management Program Director at IBM Security Business Unit, and Christopher Steffen, Managing Research Director for Information Security at Enterprise Management Associates (EMA).

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today