Ensuring Compliance with Data Protection Regulations
While the end goal of compliance is often in line with organisations’ broader data security practices, it must be approached as its own unique challenge.
Compliance demands organisations develop transparent data management policies which prioritise the privacy and security of customers’ personal data.
Failure to do so risks exposure to severe legal, financial, and reputational repercussions.
researchHQ’s Guide to Regulatory Compliance:
By 2023, 65% of the global population’s personal information will be covered under data privacy regulations, Gartner predicts.
At researchHQ, our team has hand-selected the most valuable and relevant content for those looking to effectively navigate today’s tightening regulatory landscape.
Data Privacy in 2021:
If you’re currently mapping out a data privacy strategy CPO Magazine’s blog on what’s in store for data privacy in 2021 is a great place to start.
Alternatively, if you’re short on time, then check out OneTrust’s short video on data privacy in 2021.
Compliance in the Cloud:
For those in the process of migrating to the cloud, Intezer has written a blog breaking down the most significant compliance issues when transitioning to the cloud.
Data Security & Compliance:
It is easy to confuse the exact relationship between data security and data privacy. Auth0 has put together a blog detailing this relationship and how both the security and privacy of data are necessary for compliance.
Compliance with data protection regulations requires organizations to notify their customers of a personal data breach within 72 hours. Cyberark has created a useful infographic outlining what this 72-hour data breach response plan might look like.
Table of Contents:
- Tightening data protection regulations are placing increased responsibility on organisations to enforce the privacy and security of their customer’s personal data.
- To meet compliance requirements, organisations must first understand what they can and can’t do and then develop a unique data management strategy accordingly.
- The most common compliance pitfalls stem from a lack of responsibility or transparency around customer’s personal data.
- Compliance success stems from centralised oversight and visibility into the data practices throughout the entire organisation.
What are Data Protection Regulations?
The EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are symbolic of a broader tightening in data protection regulations.
The tide appears to be turning when it comes to data protection. This new regulatory era is seeking to return the power over personal data back to the customer. The responsibility is with organisations to meet these new standards.
With both these regulations now in full effect, organisations are having to adapt, fast. Compliance with these regulations involves an organisation’s policies surrounding both the collection and use of customer data.
The implications of tightening regulations are relatively simple. Failure to comply with tightening regulations will expose organisations to severe financial, legal, and reputational risks.
So what about achieving regulatory compliance makes it such a daunting task?
The potential fines are certainly nothing to be laughed at. Between May 2018 and January 2021 the rough cumulative total cost of fines issued under the GDPR was just under €275 million.
The largest of these was the €50 million fine received by Google in 2020.
Everyone is Affected
The fine received by Google last year highlights a key point that is too often overlooked – not only companies headquartered in the EU or California are vulnerable under these regulations.
Under the GDPR, any organisation operating within the EU, offering goods or services to or processing the ‘personal identifiable’ data of people within the EU is subject to these new regulations.
Things are slightly different under the CCPA which focuses specifically on the protection of California residents ‘personal data’. Despite these differences, these regulations mark a similar pattern which should concern organisations worldwide.
The tightening of regulations may be occurring on a regional basis, but it is having a global impact.
Data Privacy & Security
While the two are often coupled together, it is important to differentiate between data security and data privacy, as compliance requires achieving a certain standard in both.
Data privacy is, in essence, a matter of the ‘What’, ‘why’ and ‘how’ of the personal data an organisation collects from its customers. It concerns what information an organisation asks for, why it asks for it, and how it stores, uses or shares that information.
Compliance with data privacy laws ultimately comes down to transparency. Organisations clearly communicate their data policies with customers, explaining what data they use and why, and give them greater control over how their data is used.
Data security is about how an organisation protects the personal customer data it collects from internal and unauthorised access or corruption. To ensure legal compliance, organisations must meet certain mandated minimum requirements in how they minimize and manage the risks their customer data is exposed to.
Alongside actually implementing data practices in accordance with data protection regulations, one of the biggest challenges is that organisations must have all the information on their practices readily available to share on demand.
What data is Protected?
As organisations plan their data privacy and security policies they must first be sure to understand what exactly personal data refers to.
Under the GDPR personal data is defined as information that can be used to identify the natural person to whom the data relates.
More extensive lists are available detailing the different types of personal data under the GDPR, from political to biometric. However, for the purpose of understanding what personal data refers to, the above definition is adequate.
Common Compliance Pitfalls:
It’s been made clear just how important legal and regulatory compliance is and how daunting a task it can appear. But the best way to succeed is to learn from the mistakes of those who have gone before you. Below are some common pitfalls to avoid on the journey to data protection compliance:
Too Much Data
Over recent years the idea of big data has gained great popularity. This has led to an increasing mentality that more within business and IT circles that more data is always better. In light of growing regulatory control, however, this can no longer be seen in black and white.
Yes, keeping more data just for data’s sake will still benefit an organisation’s big data practices. Unfortunately, it also makes the likelihood of a compliance failure far higher. For one thing, the more data an organisation is collecting and storing, the more difficult it is to enforce data practices. For another, storing more data broadens an organisation’s attack surface and raises the likelihood of a data breach which, depending on the response and practices in place, could lead to regulatory penalties.
Organisations must strike a balance of gathering volumes of useful data for analysis without attempting to process and store more data than they can handle.
Opt-in vs Opt-out
Organisations can no longer plan their data collection and management strategies around ‘opt-out’ principles. Opt-out operates on the assumption of user consent and offers a method for users to revoke their consent or ‘opt-out’.
Instead, GDPR compliance demands ‘prior consent’. Customers must now provide their explicit consent before organisations can collect, store, and use their personal data. It is worth noting that this is not the case under the CCPA – which allows organisations to continue to operate on an opt-out basis.
As organisations plan their data policies, they must ensure they incorporate transparency and choice.
Responsibility for Data in the Cloud
Ah yes, the question of how to distribute shared responsibility within the cloud – the theme which connects all cloud security issues and challenges. As organisations increasingly move their data and workflows to the cloud, there are often misconceptions about where responsibility for how that data is stored and processed lies.
Organisations often chose to use a managed service provider, such as AWS, Azure, and Google Cloud. Yet, the responsibility for ensuring data practices within the cloud are compliant remains with that vendor, as does the responsibility for ensuring the security of that data.
To avoid being caught out by compliance failures, organisations must ensure that their cloud provider and applications or systems being used in the cloud are in line with regulatory requirements.
Reporting Data Breaches
Data breaches do not automatically result in regulatory penalties, however, there are very specific criteria that must be met when a data breach occurs. One such criteria under the GDPR is that any breach must be reported within 72 hours of when an organisation first becomes aware of the breach.
For organisations without data breach response procedures, 72 hours is not a lot of time to report a breach to all its customers. In fact, taking the UK as a case study, of the 21,705 personal data breaches reported to the ICO between May 2018 and November 2020, over one third were reported late.
The sheer volume of these figures might cause some to think that not all organisations are being penalised for late reports. While this assumption may or may not be correct, the matter remains whether it is worth exposing an organisation to such legal, financial and reputational repercussions.
Compliance demands organisations to move beyond the collection and storage of data. Worst-case scenarios must be planned for and response plans put in place which ensures the necessary transparency when dealing with customers in the event of a breach.
Best Practices to Ensure Compliance:
Formulate a Centralised Data Management Plan
The first step towards ensuring compliance is to make a clear internal map of what personal data your organisation is collecting, how that data is being stored and processed, and what that data is being used for.
This may seem somewhat self-explanatory, yet, it’s importance warrants emphasis. Under new regulations organisations are required to provide material explaining their data practices on-demand, meaning documentation laying out data practices and policies is essential.
Additionally, as the scale of data accumulated by organisations continues to increase, the likelihood of poor data practices slipping through the cracks increases. Centralised visibility into the location and nature of personal data being stored is crucial to effective data privacy and security.
For many organisations, being asked to manage and record how their data is processed manually can appear quite daunting. As with all data security-related matters, there exists a risk that focusing too heavily on compliance will drastically reduce operational efficiency and impact services offered to customers.
Fortunately, automation tools are available to help ease the burden. Organisations can adopt varying degrees of automation to best tackle compliance requirements. On one level, automation tools can be used to document how personal data is being processed as required under the GDPR. This in itself will save a lot of time and help prevent slowdowns.
On another level, however, organisations can adopt completely automated workflows related to personal data management and processing. Not only will this prevent slowdown and increase operational efficiency. Equally, it can help to ensure compliance by automating workflows to occur according to an organisations data management plan which, if taking our advice above, will be designed around compliance.
Automation can also be used to monitor, detect, and alert organisations about potential data breaches, making it easier to develop an effective data breach response plan. In general, automation is key to maintaining compliance within large and rapidly growing organisations.
Of course, regardless of the degree to which processes are automated, staff training remains essential. Employees involved in the processing of personal data need to have an awareness of the compliance risks and best to mitigate them.
An organisation should ensure that all its employees are ‘in the know’ when it comes to regulatory compliance. This does not mean instructing them to recite pages of legal manuscripts on demand, however, everyone should be aware of the key points such as the rights of data subjects.
Training should vary based on the information required for an individual to conduct their role within the organisation. App developers will need to have a strong understanding of ‘compliance by design’ – systematically integrating regulatory requirements into automated and manual workflows.
Much like with most security-related practices, compliance should echo through the entire organisation.
In recent years there has been a lot of talk about compliance and it can get very tiresome very fast. Yet, if organisations don’t take compliance seriously, they risk opening themself up to legal, financial and reputational damage.
Compliance must be built into organisations’ data privacy and security strategies. A balance must be struck which ensures compliance while maintaining operational efficiency. Today’s customers have high expectations. They want seamless experiences and services without risking the integrity and confidentiality of their personal data.
While a deeper legal understanding of compliance is required than can be offered here, organisations must focus above all on valuing the rights of their data subjects.