Compliance Headaches and How to Avoid Them

We are in a perfect storm. Data breaches keep happening, cyberattacks are getting more sophisticated and consumers’ awareness of these risks increases daily. It’s therefore no surprise that policymakers are cutting through this noise by implementing progressively more stringent data privacy laws.

2018 marked key milestones for several new regulations in the United States. New York State-licensed financial services firms are now in the final six-month phase of preparing for compliance with NYDFS 23 NYCRR 500, the California Consumer Privacy Act was signed into law on June 28, ahead of implementation in January 2020 and the Colorado Data Breach Notification Law went into effect Sept. 1. What’s more, many of these regulations are layered on top of existing legislation, such as the Payment Card Industry Data Security Standard (PCI) and the Health Insurance Portability and Accountability Act (HIPAA).

As the data privacy landscape becomes ever-more complex, businesses need to take advantage of every head start with compliance they can.

In fact, much can be learned from the way organizations managed their compliance in the run up to the implementation of the EU General Data Protection Regulation (GDPR) earlier this year. Oriented around citizens’ right to privacy, the GDPR has a much broader remit than most U.S. legislations, which typically focus on data by type (for example, health data under HIPAA or credit card data under PCI) or relating to physical parameters (such as organizations operating in California that collect and control California residents’ personal data). So while GDPR in itself is not the template for compliance with any U.S. regulation, organizations now facing similar compliance struggles can learn from GDPR when preparing for new legislation.

Don’t Delay – Procrastination Does Not Pay Off

Many organizations shot themselves in the foot by leaving GDPR compliance to the last minute. We observed a mass scramble in the two months prior to the legislation coming into effect—and with the deadline looming, many organizations turned this into a box-ticking exercise.

However, box-ticking rarely covers all requirements for compliance and therefore won’t mitigate all risks or reduce future overheads. Not all technologies can be deployed rapidly; many require user education and training to ensure successful adoption, so procuring a solution just before a deadline doesn’t automatically mean you’ll be compliant or negate a data breach that could occur just days after the legislation is enforced.

Lack of planning is also almost always linked with a very large spike in costs for compliance. Whether that’s because last-minute solutions often have to be replaced as they were never quite the right fit or because it’s difficult to anticipate hidden costs without proper planning.

One of the biggest GDPR headaches we’ve seen is with Subject Access Requests (SARs), which are very similar to public records requests in the United States. Under GDPR, data subjects are entitled to find out what personal data organizations hold on them, why they’re holding it and who they share that data with. However, many businesses are struggling to comply with SARs, as more than 80 percent of corporate data is held in unstructured format, in the documents, files and emails employees frequently interact with. As a result, a people resource overhead has unexpectedly sprung up as organizations sift through various systems, some with limited reporting capability, as they try to comply with each individual request.

Scenarios such as this show how many organizations that didn’t plan ahead will find the cost for compliance skyrocketing within the first 12 months of GDPR compliance. If companies are wise to this and reduce costs even before legislation is implemented, they will be able to save their budgets from getting rapidly out of hand.

Protection vs. Productivity

Whether you’re facing one all-encompassing regulation (such as GDPR), a variety of more localized regulations (such as NYDFS 23 NYCRR 500 or the California Consumer Privacy Act) or both, it is easy to get stuck down a rabbit hole of different technologies and training per regulation, which ultimately create a substantial compliance burden.

One way to manage this is to understand all relevant regulations your organization falls under, identify the most comprehensive one and start by meeting these requirements. The next step is to identify the commonalities between that regulation and the others that need to be met—and in doing so, you should find you’re already ahead in meeting the requirements of more localized legislation. The GDPR and the California Consumer Privacy Act, for example, have some controls that map one-to-one, such as individuals’ right to be forgotten, the obligations to protect personal data and subjects’ rights to understand the data organizations hold on them. If an organization needs to comply with both, then some of the technology and processes from their GDPR compliance should be directly transferable to the requirements of the California Consumer Privacy Act.

Organizations also need to marry compliance achievements and the adoption of risk-reducing technologies with enabling employees to continue achieving against business goals. Business operations shouldn’t come to a grinding halt because of a new compliance strategy. To achieve this, organizations should look ahead at emerging technologies such as machine learning and AI, which can help automate some security decisions. Partnering with innovative vendors that are investing in smart technology will enable organizations to be on the front foot when it comes to deploying solutions that can significantly reduce compliance overheads.

The work starts now to protect personal data and build client trust, because regulations are only going to get more comprehensive and penalties for non-compliance are only going to get tougher. No one wants to work for or with a business where a single risk could take them off the radar, and cybersecurity is now a major area of risk. Organizations need to learn from previous compliance struggles and successes, and ensure the solutions chosen today will provide innovations and ROI into the future.

Mark Bower

Avatar photo

Mark Bower

When people across the world pay for goods electronically, drive a connected car, share private information between businesses, or interact online based on sensitive data analytics, there’s a very good chance that data security products that Mark curated provides data security to avoid data risk and external attack. From his two decades of expertise in the US, Australia and the UK, Mark is a noted expert in data protection and information risk reduction. At Egress, Mark is the General Manager for North America. Prior to Egress, Mark led product and business strategy for Voltage Security, acquired by Hewlett Packard in 2015 and a pioneer in breakthrough security methods that are now new NIST standards in modern data-centric security for cloud, mobility and IoT applications.

mark-bower has 10 posts and counting.See all posts by mark-bower