Growing concerns over consumer privacy and data security have led to a flurry of laws aimed at making organizations more accountable for how they manage and share the information they collect about people. Some of the new measures take their lead from laws such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States.
Requirements contained in the GDPR are shaping privacy regulations globally, said Enza Iannopollo, a senior analyst with Forrester Research. The California Consumer Privacy Act and the new Brazilian Data Protection Rules, for example, both contain requirements that are similar to those of GDPR.
"It's a challenging task, but ironically GDPR has simplified it."
—Enza Iannopollo
Nevertheless, for the most part, companies that do business across state lines or national borders will find themselves facing a patchwork of requirements. That's why Iannopollo cautions: "Organizations must monitor the privacy regulatory landscape continuously and cross-reference requirements." If their privacy program has solid foundations in place, meeting additional regulatory requirements will require less effort.
Here's how to go beyond policy with your data protection approach.
Delay is not an option
Close monitoring of the regulatory landscape, though, has its own challenges, because many of the new laws can be vague and nonprescriptive. What personal information is, how it should be managed, and the rights of data subjects are often poorly defined and open to interpretation.
John Tomaszewski, a data protection attorney with the law firm of Seyfarth Shaw, said that in Europe, trade union information is considered sensitive, for example, but a credit card number isn't.
"What's considered personal information changes from law to law. Not only that, but what's considered sensitive changes from location to location."
—John Tomaszewski
Companies may feel that uncertainty in the regulatory landscape might be a good reason to drag their heels on privacy and data security programs, but such delays can be costly, said Jena Valdetero, a partner and co-lead of the data privacy and security team at the law firm of Bryan Cave Leighton Paisner.
"A regulator won't let you off the hook for noncompliance with a law you believe is vague."
—Jena Valdetero
You should never conduct a legal strategy in a way that's reactive, said Andrew Burt, chief legal officer with Immuta, an automated data governance company. "If you do and you run into a problem, you'll just be penalized more."
Waiting for regulators to settle on a final privacy strategy to get your act together can be a recipe for disaster, Burt said.
"It sends a signal: Not only should this company be fined, but they should get the maximum fine, which is reserved for negligent behavior or types of behavior that signal we just don't care."
—Andrew Burt
Still, there are companies that like flirting with uncertainty. Ernie Anderson, chief services officer at Kudelski Security, a provider of tailored cybersecurity products, said that he has seen companies delay compliance with privacy and data security laws. They're waiting to see how severely regulators will punish lawbreakers and how their industry peers are reacting to the new legal regime.
"I wouldn't recommend wait-and-see. But to me, it's not about chasing regulations. It's about knowing your customer data is critical and sensitive so you should be protecting it, regardless of what the rules and laws say. You owe it to your customers to protect that data."
—Ernie Anderson
Avoid regulatory Whack-a-Mole
While crafting a privacy and data protection program that meets the demands of a crazy quilt of laws and regulations is challenging, it isn't impossible, said Paige Bartley, senior research analyst for data, AI and analytics at 451 Research.
"Organizations need to focus on commonalities and core principles before they focus on checklist-style, regulation-specific requirements."
—Paige Bartley
If an organization focuses on the data management architecture that supports the most common requirements, "much of the battle is already won," she said. From there, highly specific technical needs can be addressed.
The key point is that organizations "can't try to play Whack-A-Mole with each new regulation," she said. Enterprise data privacy strategy needs to be overarching and cohesive, with very specific requirements treated as embellishments.
Five keys to compliance
What are some of the common principles and requirements that should be the foundation of a flexible privacy and data protection program? A recent white paper by Micro Focus, identified five key requirements for such a program.
Greg Clark, Micro Focus' worldwide director for security, risk and government product management, said the report identifies five things that will help your organization comply with regulations and ensure your reputation, brand, and shareholder value are preserved, and your risk of sanctions and fines is reduced.
"These are basic principles that should enable you to be in a better position of compliance if you follow them."
—Greg Clark
1. Identify personal information that is created, received, and shared with others
Identifying personal information is a common requirement of all laws. It includes tracking the workflow of personal information through and across applications, as well as where personal information is stored and with whom privacy information is shared.
Asaf Ashkenazi, COO of Verimatrix, a developer of software-based content security, authentication, watermarking, and cybersecurity products, said this was easier said than done.
"Many companies don’t even know what is considered private information, let alone how to protect it."
—Asaf Ashkenazi
For example, he said, it's not widely known that even a simple email address can be considered personal information. "You can't take the proper actions to protect data if you don't know what you need to protect," he said.
Seyfarth Shaw's Tomaszewski explained that many IT systems grow organically. In enterprises, that can lead to a large number of moving parts that don't talk to each other.
"So you not only need an inventory of the data you have, but an inventory of why you have it and what you're doing with it."
—John Tomaszewski
2. Secure personal data across the enterprise—and beyond—against data breaches and inadvertent disclosure
Locking down centralized databases is the easy part of securing personal data. It's customer information on the fringes that can be a real challenge, said John Pescatore, director of emerging trends at the SANS Institute.
"It's one thing to know where your big databases of sensitive information are, but you might have backups in the cloud, data in Office 365 emails, and customer lists on employees' laptops."
—John Pescatore
Many companies don't know where their sensitive data is, which is why many breaches happen, he added.
Security needs to extend to access as well as to databases and flat files, said Ameya Talwalkar, chief product officer and co-founder of Cequence Security, a maker of application security products.
"With APIs as a key enabler of digital transformation, much of the data leakage is happening through insecure APIs or automated business logic abuse."
—Ameya Talwalkar
This happens not only because the APIs have fewer protections, but also because they allow for access and exfiltration at a rapid rate and massive scale.
The thorny problem with securing personal information across the enterprise is that many applications are designed to share data. Interfering with that sharing can result in productivity hits.
So don't block the sharing, said Salah Nassar, vice president of marketing at CipherCloud, maker of a cloud security platform."
"You need to allow applications to share, but monitor what they're doing and apply policies to it based on your company's data protection policies."
—Salah Nassar
Protecting customer data can't stop at the fringes of the enterprise, either. It has to embrace third-party companies and partners, too. Too many organizations don’t ask their third parties how they're protecting customer information, and don't dig deeply enough into the answers they get about data privacy from prospective and current partners, said Chloé Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry.
3. Set up a system to respond to requests by people for data you have on them and who you share it with
That system has to be able to gather information from across your organization, not just from customer service applications, and it must be scalable.
"When someone asks a company, 'What personal information are you keeping about me?' a company could go to all of its systems, look for that person's account number and other personal data and in a couple of weeks respond to their request," said Micro Focus' Clark.
But that process is manual, he said. The problem comes when 10 people make that request, or 100 people, or 1,000.
"It's impossible for a business to comply manually, and it can become a major disruption to the business."
—Greg Clark
Cequence's Talwalkar said that visibility and automation are the two biggest challenges facing organizations when dealing with requests from users. Organizations lack visibility into what systems may contain user data and in what form, he said.
"Subsequently, they also lack automation in responding to these queries. That results in a lot of manual effort, leading to high cost and risk of errors in execution that eventually lead to penalties and fines."
—Ameya Talwalkar
4. Create a process for producing personal information reports
In addition to giving consumers the right to see what data a company has on them and who it's sharing it with, most privacy and data security laws allow consumers to obtain a copy of that data.
So the system created to collect the data should also be capable of putting it into a single package to meet, at scale, copy-of-data requests.
5. Create a compliant process for deleting information
Another common principle in most privacy and data protection laws is the right of a person to have personal information deleted or in some cases de-identified. Organizations have to be careful, however, that they don't delete data that needs to be retained to comply with laws, regulations, or a legal hold.
In addition, they must take care that any encryption or de-identification used to comply with a consumer's request doesn't scotch the referential integrity of any database they're using.
Brittany Roush, a director at the Crypsis Group, an incident response, risk management, and digital forensics firm, said that two questions need to be answered before data is deleted: First, Does the organization need the data to be successful? Second, What must be preserved under data retention policies? "If they can answer those questions, they should then be able to easily determine what can be deleted or de-identified."
Getting answers to those questions is not always easy, Roush acknowledged, but it can be done with some experienced help.
"Working with experienced legal counsel and information governance teams to understand an organization's data retention needs is critical to ensuring that the process does not open an organization up to risk."
—Brittany Roush
Keep your data tidy
Of course, the less data you hoard, the less you have to worry about deleting.
Regardless of the specific requirements of current or future privacy laws, "you can reduce your organization's exposure by limiting the personal data obtained and the duration for which you retain it," said Nicole Killen, vice president and chief privacy officer at Neustar, a provider of cloud-based promotion and protection services.
As data storage costs dropped, the many organizations had a stronger inclination to hold on to personal information beyond its designated purpose—and well after its accuracy shelf-life—just in case it could be used for some unknown purpose at some point in the future, she explained.
That isn't the case anymore. Discussions that once focused on risks associated with broad collection and indefinite storage of personal data have now shifted to how to achieve a desired outcome or satisfy a need with as little personal data as possible, stored for as short a time as possible.
"This switch in perspective. along with robust data hygiene of your organization's archived data, will always serve you well, regardless of the shifting privacy law landscape."
—Nicole Killen
Image source: Wikimedia
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.