Over the years, organizations amass a massive amount of sensitive information about their customers. This data is largely collected as a core component of the organization’s ability to do business (i.e. medical data for a healthcare provider) or as a basis for big data analytics for targeting advertising.
As organizations collect more and more sensitive information about their customers, the need for data security grows. In the last few years, a large number of data breaches have demonstrated that hackers are interested in these troves of data and willing to expend significant amounts of time and money gaining access to them. A business needs to take the necessary steps to secure their collected sensitive data, both for the sake of their customers whose data it is and to protect their own ability to operate competitively.
In recent years, numerous data protection regulations have been passed and have come into effect to provide organizations with additional incentive to implement proper data security protections. However, the rapidly expanding regulatory landscape can make it difficult for organizations to achieve and maintain the necessary levels of compliance.
The expanding compliance landscape
Many modern businesses are international or global businesses, meaning that their customer bases and operations can stretch across national boundaries and jurisdictions. This can complicate their efforts to maintain regulatory compliance since an organization may be required to comply with the laws in any location where it is located and/or where its customers are located.
The reach of data privacy regulations can be complicated to understand. An experiment by a security researcher presenting at 2019 Black Hat security conference demonstrated that many companies don’t understand that certain regulations apply to them. The General Data Protection Regulation (GDPR) is designed to protect the sensitive data of EU citizens regardless of where the company processing the data is located. However, 5% of the respondents in the experiment (mainly from the US) claimed that GDPR does not apply to them when the security expert requested collected personal data.
Even if organizations do acknowledge that they are liable to comply with any applicable data protection regulations, the sheer number of such regulations can be overwhelming. The US’s lack of a national data protection law has caused most of the individual states to pass their own data protection laws. The complexity of tracking and achieving compliance with each regulation has caused 51 tech CEOs to send an open letter to Congress requesting a federal data protection law that can reduce the complexity of compliance.
Challenges of compliance
Achieving and maintaining compliance with data protection regulations can prove to be a significant challenge for any organization. The first challenge that businesses face is identification of any regulations that apply to them.
Before you continue reading, how about a follow on LinkedIn?
The EU’s GPDR has helped a little bit in this regard. A regulation that applies to all of the EU covers a large part of many organizations’ target market. The rule also requires equivalent protections to be implemented at the national or company level to allow organizations to store EU data. As a result, several nations have passed laws identical or very similar to GDPR. However, a wide-variety of other regulations may apply within certain nations, states, or industries (HIPAA, PCI-DSS, SOX, etc.).
Once an organization has identified the regulations that apply to them, they need to achieve and maintain compliance, which can be challenging. Most regulations are worded more as general requirements, like “use encryption to protect all personally identifiable information (PII)”, rather than a checklist of security controls that must be implemented to achieve compliance. An organization is responsible for translating requirements into specific solutions, implementing them, and achieving compliance.
Once an organization has achieved compliance, they also need to work to maintain it. Many regulations require audits where an organization has to demonstrate how their particular security controls meet the requirements for compliance. An organization may need to generate a report for these audits at least yearly for every applicable regulation.
Achieving compliance with data protection regulations is important for any organization. These regulations are designed to protect the personal data that consumers have entrusted to the organization. As a result, data protection regulations can include steep penalties for non-compliance, whether or not an actual breach has occurred. Failing to achieve or maintain compliance can be an expensive proposition. However, the sheer number and scope of these regulations can make manually managing compliance difficult or impossible. By automating compliance, organizations can achieve the level of scalability necessary to deal with the modern data protection landscape.
One way that a good data security solution can help with compliance is by automating the discovery of data that should be protected under a particular regulation. Most personally identifiable information (PII) and protected health information (PHI) comes in a specific format (i.e. phone numbers, email addresses, Social Security Numbers, etc.). A data security solution can help to discover where this information is stored within an organization’s network. This helps to identify the areas that must be protected for compliance.
Automation can also be valuable for reporting. By using templated reports, an organization can automatically populate them with the data necessary for demonstrating compliance during regular audits. This can help to dramatically decrease the workload associated with remaining compliant.
Data protection regulation compliance is important to protecting sensitive customer data and avoiding regulatory penalties. However, while the regulatory landscape is rapidly evolving and shifting, the use of a data security solution can help organizations achieve and maintain compliance through automation.