Complex Regulations Drive the Need for Data Compliance
Establishing a data privacy and protection management program ensures protection of company assets, shareholder data/value, brand/reputation, all while minimizing data risk and enabling innovative use of business data.
Data privacy and protection compliance regulations cover all facets of industry and markets worldwide. The following acronyms refer to such regulations and provide an insight on the inherent complexity organizations are faced with: HIPAA, PCI/DSS, GLBA, FCRA, FACTA, FERPA, COPPA, ECPA, DPPA, EEA, CCPA/CPRA, CPA, CDPA, GDPR, PIPEDA, LGDP and more.
On top of these, adherence to “best practices” is often mandated, making those a no-opt out solution. Examples include NIST 800-53, NERC-CIP, ISO/IEC 27001, ISACA and CMMC. It is no surprise that under such a heavy set of regulations, organizations need to have a proper data compliance program in place.
Developing a Data Compliance Program
Developing a data compliance program encompasses many facets and resources, with an ultimate goal to establish and enable a culture of data protection and compliance within the organization from the top-down.
There are several stages to develop a data compliance program:
- Evaluate & Implement
- Monitor and Enforce
Some of these steps can happen in parallel, this is particularly true for steps 1-2 and 3, where the compliance side of the organization can focus on the discovery & classification requirements, while the technical stakeholders can initiate product evaluations that will help fulfill compliance requirements.
This stage is undoubtedly the lengthiest. To begin this journey, clear roles & accountabilities need to be established and should include a Data Privacy & Protection Manager (or Director / Officer), as well as several associates responsible for various areas of competency: Compliance Associate, Controls Associate, Data Subject Associate, Technical Associate, etc.
Once these responsibilities are clear, discovery workshops should be organized with every business unit in the organization as well as IT/IS, Legal, HR, internal auditors, and C-Level functions (CFO, CISO, etc.). The objective is to achieve situational awareness around an organizations’ data landscape.
One of the outcomes of these workshops is the assignment of Data Owners, as individuals ultimately responsible for given data sources. Because these Data Owners will most likely be divisional heads, they are most likely to delegate effective responsibilities to a Data Steward / Data Custodian.
At this stage, the organization should develop a data classification framework that clearly establishes compliance requirements and policies related to the identified data types. It should consider compliance & privacy laws relevant to the organization and the jurisdictions it operates into, as well as the jurisdictions of the customers it aims to serve.
Those requirements can dictate front-end (application type, interfaces presented to users/applications) and back-end data storage constraints (geographical location, storage type, resiliency, retention policies, security / encryption, etc.) as well as defining who is entitled to access / work with the data.
Once data classification requirements and policies are defined, they should then be applied to every type of data the organization retains, so that no gaps are left.
Evaluate & Implement
There are two facets to this stage. One refers to the technical aspects: the evaluation of technology & tools, as well as their implementation. The other refers to the integration of privacy compliance into operations & processes.
Technology components need to be assessed at this stage and include data classification tools, data privacy / protection tools, solutions to monitor or prevent data loss, but also more standard infrastructure solutions already present in the organization such as firewall management software and SIEM / log monitoring tools. Most of these provide common functions and are built around existing regulations, making initial evaluations possible even if requirements are not entirely finalized.
The integration of privacy compliance into business and technical processes may require more effort, as it may include a redesign of certain processes or applications, with a downstream impact on data structures and the way data is stored. Finally, it can also impact data storage and data protection in case data sovereignty laws apply.
Before implementing the necessary process and technical changes, tight coordination between technical & data compliance teams is essential. Clarity on data classification and legislation adherence is also crucial.
Monitor and Enforce
Once all the tools are in place, continuous monitoring of compliance requirements needs to take place. This will be done by using the tools implemented in the previous phase.
In this stage, data compliance officers and their area delegates are responsible for monitoring and reporting of compliance breaches, however data owners and their deputies are responsible and accountable for the remediation of identified problems.
Monitoring and enforcement of privacy compliance can be streamlined into business-as-usual operations by providing regular reports to data owners and compliance stakeholders. KPIs can be used to measure non-compliant states, remediation activities and times, and can be used to identify structural issues requiring attention.
Data compliance is an ongoing effort, because existing regulations are subject to changes, and new regulations may also be introduced. To meet these colossal challenges, organizations need to develop a culture of data privacy & protection.
The involvement of executive, C-Level stakeholders is essential to ensure data privacy & protection get the proper level of attention and responsiveness within the organization. The objective of these initiatives is to ensure all applications and business process embed privacy & data protection by default.
The organization should also coordinate on privacy & data protection with their 3rd party suppliers and vendors to ensure end-to-end compliance with legal requirements and ensure a potential breach of privacy / compliance is not caused by a 3rd party supplier. Options can be to reduce the data footprint that is exposed to 3rd parties, or compliance policy alignment between organizations.
Data Compliance Tips & Takeaways
Implementing a data compliance program without organization-wide support and accountability will not bring the expected outcomes.
An effective data compliance strategy should include the following elements:
- Unequivocal tone-from-the-top messaging around the importance of protecting the company data assets, which also encompasses data privacy
- Clear instructions and guidelines for individual contributors, including mandatory, organization-wide trainings on data privacy & compliance
- The appointment of a Data Protection Officer responsible for organizational compliance & reporting responsibilities as well as adherence to impactful regulations
- The inclusion of data privacy & compliance topics to Board Audits / Risk Committees
- Linkage with existing infosec services & procedures, notably around potential data threats, breaches, and data leaks
- Linkage with existing hotlines or incident reporting services related to potential or suspected violations of data access, policies, and procedures
Developing and implementing a data compliance program is akin to a marathon: it requires consistent effort, discipline, and aiming at the end goal.
Organizations should un-silo, inventory and get to know their data. They should rely on solutions such as metadata management to implement smart, policy-driven data privacy / protection capabilities.
The process aspects should not be forgotten either, because data compliance goes way beyond IT infrastructure. It needs to transform into a consistent and holistic discipline that initially requires efforts across the entire organization while becoming a part of the organization’s tenets and culture, becoming seamlessly embedded into all activities and initiatives that relate to data.
Ultimately, a data compliance program enables better collaboration and provides better data identification and re-use opportunities, all while ensuring adherence to existing regulations, and better handling of customers and their personal / sensitive information.
Since the introduction of data privacy law such as GDPR (in Europe), CCPA (in California) and many other similar regulations in other legislations, public awareness about data privacy has soared.
As we live in a digital era, data privacy should be a quintessential human right. While we are not there yet, regulations are starting to stand on the side of the citizen. Let’s first recapitulate on data privacy before covering our main topic.
Data Privacy Primer
As we begin these blog post series with ComplyTrust® Inc., we would like to introduce a few concepts such as Personally Identifiable Information as well as the Right to be Forgotten.
Personally Identifiable Information
Every human generates data and is a data subject, at the very least from a vital records perspective. As we grow, more information such as bank account references, phone numbers, addresses and so on increases our “metadata” – we become more complete “records”.
When we purchase goods / services or perform everyday acts, we often need to give out essential information to complete the transaction or activity. And the more data we are willing (or forced) to give out, the more uniquely identifiable we become.
This data is stored somewhere, sometimes simply as a record track. Even if customer data is stored separately from transaction data, the ability to link a transaction to a person makes the transaction data become Personally Identifiable Information (PII) – it allows the organization to trace back to a unique individual.
Why Data Privacy is Important
There are many cases where PII is essential and required for tracking a record. Signing up for a mortgage or applying for new car registration are a couple of examples, legal proceedings are another. There are also a broad range of life situations where the law imposes data to be retained.
But for other situations, legislators have recognized a right to privacy. Laws such as GDPR and CCPA are the direct consequence of years of abuse from unscrupulous or blissfully ignorant customer targeting from organizations, for whom the collection and re-use of PII for commercial purposes was normal practice. Those practices degenerated in aggressive and focused targeting of consumers based on age, interests, personal opinions, race, location and many more criteria, even giving birth to questionable business models with dystopian characteristics.
Getting Back in Control: The Right to be Forgotten
Data privacy laws have empowered consumers with the right to take back their privacy with several tools. The Right to be Forgotten (RtbF) is one of these. At any time, a consumer (or subject) can reach out to an organization to check if it possesses any of their data. If they have such data and provided that the organization is not obliged by law to keep specific records, the consumer can exercise their right to be forgotten.
An organization receiving an RtbF request will have to identify and erase any personally identifiable information about the subject and inform the subject the data has been permanently erased. This has several implications because of data’s pervasiveness, but we will not address this here.
RtbF in the Context of Mergers and Acquisitions
Although a subject may have successfully exerted their RtbF against an organization holding their PII, some situations may arise when the subject may be again contacted by the said organization. In the simplest of cases, it might simply be because the subject re-used the services of that organization, which caused data to be provided and stored again.
Mergers & Acquisitions (M&A) can significantly complicate an organizations’ ability to maintain compliance with privacy regulations. One of the outcomes of M&A activities is the co-existence and eventual convergence of IT systems and systems of record such as customer / transaction databases.
M&A activities can last months or years, and the outcome may not always be successful. TECHunplugged has witnessed acquisitions where data migration and infrastructure consolidation activities took years to complete, ending with a re-sale of the purchased company only a few months later, after results were not up to the expectations.
From a privacy compliance perspective, the law does not care about your M&A activity. It expects the organization, no matter how transient its structure is, to uphold regulations and the consumers’ Right to be Forgotten. The approach and response to RtbF requests needs to be taken holistically, taking in consideration the entire organizational structure and systems.
But most importantly, organizations need to maintain compliance with previous requests. Imagine a customer, John Doe, who raised an RtbF request with Contoso Inc., a fictional company, and their request was performed. Contoso Inc. no longer has any PII about John Doe.
Months later, Contoso Inc. decides to acquire their competitor Tailspin Toys, another fictional company, with whom John Doe did business. John didn’t have an issue with Tailspin Toys and never cared about raising an RtbF request with Tailspin Toys.
Even if the data resides within Tailspin Toys systems while both organizations figure out how to consolidate, Contoso is now in charge. The outcome: the company is now in breach with privacy regulations, as they now hold data they were not supposed to be keeping anymore.
Through this example, we can see how M&As can directly impact the Right to be Forgotten. If we scale this RtbF request, the impact could be in the thousands to hundred of thousands of breaches. Would a control happen during this timeframe, the company could face significant risk: financial (fines), reputational (loss of public trust) and potentially regulatory impact if the organization operates in a regulated vertical, keeping in mind that the more widespread breaches are, the more severe the impact is.
With this initial post, we briefly covered Personally Identifiable Information, Data Privacy as well as Right to be Forgotten concepts, to explain why these concepts matter, and what is at stake, to set the context.
For administrators and organizations, RtbF is a tricky topic. Removing records once is eventually achievable, provided we know where customer data is stored, and our systems allow for the data to be eradicated. The challenge is to ensure continuous compliance. Not only continuous compliance within the boundaries of our own systems and infrastructure, but also in the face of business decisions taken.
To comply with regulations, retain trust with their customer audience and mitigate regulatory, financial and reputation risk, organizations need to implement continuous compliance monitoring to ensure that RtbF related queries are not only addressed upon their receival, but that their enforcement remains consistent over time, regardless of structural changes within the organization, such as M&A activities.
ComplyTrust®, an innovative vendor that focuses on continuous data privacy compliance, have built Forget-Me-Yes® to address those challenges, and give organizations assurance that they are adhering to data privacy regulations.
Stay tuned in the coming weeks as TECHunplugged and ComplyTrust® continue to cover data privacy related matters as well as the Forget-Me-Yes® SaaS platform in more detail.
Every business, enterprise, government agency, educational or health science organization is relying, hoping, and risking that the data backups sitting in their infrastructure or cloud service is better than the production environment they just abandoned because of a ransomware or malware attack.
The company compliance officer is hoping to quickly mitigate the reemergence of data subjects that were deleted related to GDPR or CPRA or any other data privacy laws. Are these hopes well founded? And if not, what will be the impact on the time it takes to get all systems online and the company back into production?
RTO and RPO only tell part of the story. At what recovery point objective is the data backup free from the ransomware or malware that just changed the course of the company’s ability to serve its’ customers or constituents? Since this is difficult to answer the only option is to mount a backup and run cyber scans and data privacy scans against that data backup before cutting to production. This of course takes time and delays time to production.
From a data privacy perspective, in the time since the backup recovery point that is chosen, the organization has received some number of “Data Subject Access Requests” and “Request for Deletion”. And now with restoration, these data subjects are back online, and the company is out of compliance. And because of GDPR and CPRA restrictions, you can’t maintain a list of who they are, so you don’t know who to delete again. This is all going to take time again delaying time to production.
The solution to these challenges varies depending on the cloud, database, storage system, or data protection strategy being deployed. Whether on-premise, hybrid, private or public cloud infrastructure, data protection is a fundamental pillar for both time-to-production and sustainable compliance.
In upcoming posts, we will provide suggestions for getting back to production quickly while maintaining compliance and the elimination of cyber risks. Until next time, be safe.
All brands, images and names are property of their respective owners.
The ComplyTrust Team.