Data protection laws are coming under increasing focus around the world as companies seek to meet new compliance obligations.
Data protection regulations generally oblige any company or organization to store securely any data they collect or process. What they do with this data is strictly regulated.
According to a Gartner report, by the end of next year the personal data of around 65% of the world’s population will be subject to modern data protection regulations. Complying with these expanding regulations can be challenging.
Over the past 20 years, companies have had almost a free hand in collecting personal data from electronic transactions and the increasing use of the internet.
Many organizations involved in international trade have to change their procedures to adapt to the new legislation. This is a priority for transactions and correspondence related to e-commerce and social media.
Increasing consumer distrust, government action, and competition for customers have prompted some governments to adopt tough rules and regulations. The impact is changing the conditions of no man’s land that allow both large and small businesses to go wild with people’s personal information.
“By far the biggest challenge facing organizations is keeping up with the amount of data they manage, which is also subject to ever-changing privacy requirements,” Neil Jones, director of cybersecurity evangelism at Egnyte, told TechNewsWorld.
Assortment of different requirements
The EU has the General Data Protection Regulation (GDPR). In the UK and continental Europe, data protection is widely recognized as a basic human right, according to Jones. In the United States and Canada, businesses must navigate a growing patchwork of state and local laws.
Data protection legislation in the US and Canada has traditionally been more fragmented than in the UK and Europe. Quebec in Canada and Utah and Connecticut in the United States are among the latest countries to enact comprehensive privacy laws, joining the US states of California, Virginia and Colorado.
By the end of 2023, 10% of states in the US will have privacy laws, Jones noted. This lack of a universal standard for data protection has created an artificial layer of business complexity.
In addition, today’s hybrid work environment has created new layers of risk that have made it difficult to comply with myriad privacy concerns.
What’s at stake
In order to increase productivity, companies may need to ask their employees detailed questions about their behavior and policies on working from home. These types of questions can have their own unintended privacy implications, according to Jones.
The recent convergence of personally identifiable information (PII) and protected health information (PHI) has also put highly sensitive data at risk. This includes work injury reports, employee and patient health records, and confidential test results such as Covid-19 notifications.
“With 65% of the world’s population expected to drop personal information under data protection regulations by next year, respect for privacy was more important than ever,” Jones said.
Cloud Privacy Hurdles
Data protection and security are the biggest challenges when implementing a cloud strategy, according to a recent study by IDG, now renamed Foundry. In this study, the role of data security was a prominent concern.
When implementing a cloud strategy, IT decision makers or ITDMs face challenges such as controlling cloud costs, privacy and security challenges, and lack of cloud security skills/expertise.
With a stricter focus on securing privacy data, this problem is only growing as more companies migrate to the cloud. The IDG study found that two key hurdles were privacy and security challenges and a lack of cloud security skills/expertise.
Spending on cloud infrastructure has increased by about $5 million this year, according to Foundry.
“Although large enterprises are taking the lead, SMBs are not far behind when it comes to cloud migration,” said Stacey Raap, marketing and research manager at Foundry, when the report was published.
“As more and more organizations move towards going full cloud, IT teams need the right talent and resources to manage their cloud infrastructure and overcome all of the security and privacy hurdles associated with the cloud,” she remarked.
Organizations can successfully prepare for data protection legislation, but to do so, data protection initiatives must become a “full-time job,” Jones said.
“Too many companies view data protection as a part-time project for their web teams rather than a full-time business initiative that can have a significant impact on customer relationships, employee morale and brand reputation,” he said.
Beyond this step is the establishment of holistic data governance programs that provide more visibility into the organization’s regulated and sensitive data. Add to that working with trusted business and technology partners who understand the privacy space and can help you prepare for rapidly evolving regulations.
Perhaps the most dynamic approach is to use an Advanced Privacy & Compliance (APC) solution, Jones suggested. This allows organizations to conveniently comply with global privacy regulations in one place.
Specifically, APCs can help achieve compliance by:
- Managing Data Subject Access Requests (DSARs) such as the right of individuals to be informed about the personal information they have collected, the right to opt-out of the sale of personal information to others, or the right to be forgotten by collecting organizations
- Assess an organization’s compliance readiness and scope with specific regulations (e.g. GDPR, CCPA)
- Prepare and review third-party technical assessments and assess potential risks to consumer data
- Extending cookie consent capabilities such as integrating cookie consent into compliance workflows
It can be difficult for organizations to understand today’s rapidly evolving privacy landscape and how specific regulations apply to them, Jones said. However, by taking proactive measures, companies can remain on top of data protection regulations in the future.
These steps include the following ongoing tasks:
- Monitor the status of privacy regulations in the countries, provinces and states where the customer base resides
- Create a privacy taskforce that can improve organizational focus and bring executive attention to privacy initiatives
- Stay up to date on new federal privacy laws like the proposed American Data Privacy and Protection Act (ADPPA)
It’s also important to note the additional long-term benefits of privacy compliance. Specifically, strengthening an organization’s overall cybersecurity defenses.