Meeting Trusted Data Privacy Compliance
The global privacy game has emerged as one of the most important aspects of compliance and data governance. With the European Union’s vaunted GDPR and the California Consumer Privacy Act (CCPA), we see the financial and reputational risk of non-compliance rising. New laws in Japan and South Korea have added to the complex mix of doing business across borders or simply using and storing personally identifiable information about consumers.
There are no fewer than four federal bills making their way through Congress that propose significant changes to how private data is handled. Companies—and in particular the enterprise that does business across borders and jurisdictions as the holder or processor of personal data—are under scrutiny to adopt policies and technologies that offer better transparency and oversight. Violations of the GDPR, for instance, come with potential fines of 4% of global revenue.
In fact, new laws define a growing patchwork of rules that hinge on a company’s ability to protect data appropriately, but also to provide regulators with definite assurance that policy and technological frameworks are in place to satisfy the law. Consumers variously have a right to know what kind of data is collected about them and if that data is sold. They also have the right to opt-out of certain sales and data practices and even to “disappear” entirely by having all traces of their data deleted, as well as the right to access that data.
Add to this the very real possibility of dishonest access to data by employees, contractors or business partners, and the risk comes into even sharper focus. Consumers have new legal remedies at their disposal to hold data holders and processors accountable. In this environment, implementing meaningful and compliant data privacy measures is not only a legal obligation but also a competitive advantage.
Responsibility and Oversight
While the responsibility for privacy management often falls under the purview of compliance or legal professionals within a company, typically security and risk management leaders are charged with maximizing compliance and providing transparent reporting structures for regulators and internal stakeholders.
According to industry analyst firm Gartner, 42% of privacy leaders seek more effective measures for privacy programs, but three-quarters of these individuals say they lack the confidence to effectively report on program outcomes. Moreover, just 37% of organizations say they have the proper framework in place that can adapt to changing regulations.
The first step in compliance is to understand requirements and obligations including clarity on the consequences of breaches, whether at the hand of non-compliance generally or any kind of internal or external data breach. While GDPR and CCPA are top of mind, many industries are under specific controls for data handling such as GLBA and HIPAA. In addition, contractual agreements among suppliers, partners, contractors and third-party service providers may also impose codes of conduct that are often more stringent.
The next step involves ascertaining which people inside and outside corporate boundaries have access to data and if security processes and policies are adequate. Gone are the days when security and risk leaders could simply weigh their threshold for risk against what the business is willing to accept. Technological security measures play a crucial role in risk assessment and should cover both external access and internal users as prescribed under law.
New mandates make no distinction between outside bad actors and unauthorized internal access or alterations to data, which are in fact more common. While data privacy violations may be deliberate on the part of employees and partner companies, for example, a careless individual can often be tricked into sharing data or clicking on an innocent-looking link that easily overcomes the most diligent encryption barriers.
The fact remains that anytime data is moved around inside a company or passed to another entity, the risk of compromise increases. Management of data transfers is vital not simply to provide legally required clarity into who is handling private data and how it is being used, but also because the complex patchwork of privacy mandates shifts according to jurisdiction and so does the consent of data subjects. Obligations do not necessarily end with the transfer of data itself. The privacy practices of recipients must also be known to reasonably ensure compliant custody.
Technological Means for Achieving Compliance
Organizations are now required to know what data usage and activity needs to be monitored and documented for regulators, as well as why data has been accessed. Methods for achieving this type of analysis places a heavy burden on companies that have relied on legacy endpoint security systems, which are not designed to monitor, measure, evaluate and report on these activities.
Regular audits must be conducted and an auditable trail of data custody and access must be available to regulators to keep in scope. Auditors must have access to appropriate and competent materials that are unalterable at the source and provide a source of indisputable trust that is both objective and impartial.
Traditional database logs and monitoring products do not return complete information, especially in terms of what specific data was used. Monitoring usually can be easily turned off for periods of time and the logs themselves are often stored insecurely and can be edited or deleted.
What we see in response are new approaches that involve data access monitoring and access governance as a service, the result of work by software developers to embed monitoring and privacy-protection capabilities directly into code when applications are developed.
However, many monitoring tools introduce performance concerns, especially on the database server-side. This is being resolved at the application stack level with logging asynchronously that does not impair any data access activity nor rely on native DBMS logging and places minimal strain on network resources.
Another key technological challenge facing security and risk leaders is that most data monitoring tools see only the query side of the conversation, whereas database drivers can see every single record or instance that is sent back in response to queries. In addition, every query can be tagged with identity and activity metadata, creating a transaction-level compliance hook to support full reporting for internal audits and regulatory requests.
Extending the Data Privacy Compliance Paradigm
In the past, data security enhancements have often complicated compliance because levels of accessibility vary according to the internal needs of a company, as well as under the various regulatory regimes imposed on them. Perfect data security, which means zero accessibility, is at odds, yet this is certainly not the answer. Certainly, new and emerging privacy mandates have added yet more layers of complexity to the equation and companies have been publicly shamed for failing to adequately protect data.
Just last summer, the Capital One breach affected as many as 30% of the people in the U.S. with more than 100 million customers at risk. Regulations come with a massive financial burden in such cases, and the implications go far beyond fines. Examples such as this highlight the cost- or risk-benefit analysis, but also the fact that compliance and risk mitigation requires both knowledge and technological approaches that can seem exhausting.
Protecting private, confidential data means monitoring and governance of how it flows through networks and systems, how it is accessed and processed by different applications and people and for what purpose. Each time a new information cycle begins, organizations are at risk. The capabilities of each entity that handles private data, not just the keepers of that data, need to be assessed and brought into alignment with a growing corpus of regulatory rules.
Technological remedies undertaken to protect data and prevent accidental access or use, in violation of the privacy laws and obligations, can address residual risk and ensure security leaders are well-prepared for the inevitable questions from regulators. Drawing on new approaches, such as a service-powered security model, means data privacy and confidentiality tools are coming into place to help companies proactively identify and address gaps and satisfy data privacy regulations as a part of an overall security stance rather than as an afterthought.