The regulatory climate around the world is changing rapidly. Scores of new regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and similar laws in other U.S. states, are being enacted in response to growing concerns about privacy and misuse of personal data.
These concerns are being driven largely by the ongoing stream of data breaches and breaches of consumer trust, such as the 2018 scandal in which Cambridge Analytica harvested the personal data of millions of Facebook users without their consent for political advertising purposes. As a result, CIOs and CISOs are being forced to rethink their strategies for security and compliance.
The Impact of New Regulations
When GDPR came into force in May 2018, it became clear that organizations need oversight to ensure far stricter control over how they store and handle customer data than they used to have, as well a better insight into what’s going on with this data. The later regulations such as CCPA had similar requirements in terms of lawful data processing and subject rights, which brought further changes to organizations’ attitude toward privacy and compliance.
Organizations started to treat privacy more seriously: As the inability to prove that data is processed lawfully can result in fines, litigation and lost business opportunities, organizations are becoming more concerned with what data they actually store and where it resides. They also want to know how data is used throughout the business processes and who has access to it. Finally, organizations are becoming more concerned about maintaining data security and proving to auditors that they have controls in place to protect data subjects’ information.
Demand for security and compliance products grows: As a result of pressing regulations, organizations increasingly purchase and utilize the tools required to help them fulfill a range of compliance obligations, as well as ensure privacy and security. According to the U.S. GDPR Security Products Forecast, 2018–2022: Impact of GDPR on Spending research from IDC, the U.S. GDPR market generated $416 million in 2017, and the market is forecast to grow to $537 million in 2022.
Compliance skills are in great demand, new roles appear: Since the new standards require organizations to be consistent in their compliance efforts, companies need to hire professionals who can help ease the compliance burden and help them overcome common pitfalls. The new standards even lead to introduction of new job positions. For example, GDPR required organizations to hire data protection officers (DPO), who would be responsible for monitoring internal compliance, advising on data protection obligations and acting as a point of contact for data subjects and supervisory authorities. Many organizations have already fulfilled this requirement: A study by the International Association of Privacy Professionals (IAPP) shows that an estimated 500,000 organizations have registered DPOs across Europe, which is far more than was expected in 2017.
Measures to Ensure Security and Compliance
While organizations are challenged with keeping up with the new regulations, CIOs and CISOs at these organizations need to adopt procedures that will ensure the lawful collection and processing of data and, more broadly, strengthen data security across the organization. Here are the key practices to know about:
Risk management is the ongoing process of identifying, assessing and responding to risk. By assessing the likelihood that various events will occur and the impact that each of them would have, you can better prioritize your cybersecurity activities and investments. Risks can include everything from data theft by employees to external attacks.
Data Discovery and Classification
Organizations have always created, stored and processed large volumes of information. However, modern organizations need deeper insight into their data to ensure security and compliance. Automated data discovery and classification enables organizations to understand what sensitive and regulated data they have and where it resides. That way, organizations can implement proper controls to protect the most critical information, and extract or delete data in response to a data subject’s request.
Data Access Governance
Data access governance gives organizations insight into who has access to what data and who owns what data, which will enable them to have strict control over data access, prevent leaks of business-critical information and ensure that all access rights align with applicable regulations. More importantly, it is a great instrument to provide evidence to auditors that only eligible employees have permission to work with sensitive information.
Many regulations have requirements around consent. For instance, the CCPA requires organizations to get customer consent if they intend to sell their data, and the GDPR allows organizations to collect and process a customer’s data only if they actively confirm their consent (e.g., by ticking an unchecked opt-in box).
Organizations assign responsibility to obtain the consent and manage the records to data protection officers (DPO), whose goal is to provide sufficient evidence to auditors that the organization has all the required consent. Ideally, organizations need to have a consent checklist with activities such as: “Regularly review consent to check that the relationship, the processing and the purpose have not changed,” and, “Keep a record of when and how we got consent from each individual.” Also, consent and preference management software can help you automate the process.
Collaboration With Stakeholders
CIOs need to communicate cybersecurity requirements to stakeholders to make sure they have a full understanding of business risks associated with storing, processing and securing personal data. The NIST Cybersecurity Framework and similar tools can facilitate this collaboration and help align business and technological approaches to ensure proper management of security and compliance risks.
Awareness and Training
Organizations also need to invest in regular cybersecurity training, communicate the importance of privacy to employees who work with customer data, and hire cybersecurity talent or develop in-house expertise.
With adoption of these practices, organizations will be able to increase the effectiveness of their compliance efforts, as well as improve overall data management and security. Moreover, a comprehensive approach to privacy and implementation of necessary controls will enable COIs to better communicate how cybersecurity investment contributes to the optimization of business processes and gaining a competitive edge by demonstrating respect for human privacy.