How to Develop a Data Compliance Program

Complex Regulations Drive the Need for Data Compliance

Establishing a data privacy and protection management program ensures protection of company assets, shareholder data/value, brand/reputation, all while minimizing data risk and enabling innovative use of business data.

Data privacy and protection compliance regulations cover all facets of industry and markets worldwide. The following acronyms refer to such regulations and provide an insight on the inherent complexity organizations are faced with: HIPAA, PCI/DSS, GLBA, FCRA, FACTA, FERPA, COPPA, ECPA, DPPA, EEA, CCPA/CPRA, CPA, CDPA, GDPR, PIPEDA, LGDP and more.

On top of these, adherence to “best practices” is often mandated, making those a no-opt out solution. Examples include NIST 800-53, NERC-CIP, ISO/IEC 27001, ISACA and CMMC. It is no surprise that under such a heavy set of regulations, organizations need to have a proper data compliance program in place.

Developing a Data Compliance Program

Developing a data compliance program encompasses many facets and resources, with an ultimate goal to establish and enable a culture of data protection and compliance within the organization from the top-down.

There are several stages to develop a data compliance program:

1. Discover
2. Classify
3. Evaluate & Implement
4. Monitor and Enforce
5. Improve

Some of these steps can happen in parallel, this is particularly true for steps 1-2 and 3, where the compliance side of the organization can focus on the discovery & classification requirements, while the technical stakeholders can initiate product evaluations that will help fulfill compliance requirements.

Discover

This stage is undoubtedly the lengthiest. To begin this journey, clear roles & accountabilities need to be established and should include a Data Privacy & Protection Manager (or Director / Officer), as well as several associates responsible for various areas of competency: Compliance Associate, Controls Associate, Data Subject Associate, Technical Associate, etc.

Once these responsibilities are clear, discovery workshops should be organized with every business unit in the organization as well as IT/IS, Legal, HR, internal auditors, and C-Level functions (CFO, CISO, etc.). The objective is to achieve situational awareness around an organizations’ data landscape.

One of the outcomes of these workshops is the assignment of Data Owners, as individuals ultimately responsible for given data sources. Because these Data Owners will most likely be divisional heads, they are most likely to delegate effective responsibilities to a Data Steward / Data Custodian.

Classify

At this stage, the organization should develop a data classification framework that clearly establishes compliance requirements and policies related to the identified data types. It should consider compliance & privacy laws relevant to the organization and the jurisdictions it operates into, as well as the jurisdictions of the customers it aims to serve.

Those requirements can dictate front-end (application type, interfaces presented to users/applications) and back-end data storage constraints (geographical location, storage type, resiliency, retention policies, security / encryption, etc.) as well as defining who is entitled to access / work with the data.

Once data classification requirements and policies are defined, they should then be applied to every type of data the organization retains, so that no gaps are left.

Evaluate & Implement

There are two facets to this stage. One refers to the technical aspects: the evaluation of technology & tools, as well as their implementation. The other refers to the integration of privacy compliance into operations & processes.

Technology components need to be assessed at this stage and include data classification tools, data privacy / protection tools, solutions to monitor or prevent data loss, but also more standard infrastructure solutions already present in the organization such as firewall management software and SIEM / log monitoring tools.  Most of these provide common functions and are built around existing regulations, making initial evaluations possible even if requirements are not entirely finalized.

The integration of privacy compliance into business and technical processes may require more effort, as it may include a redesign of certain processes or applications, with a downstream impact on data structures and the way data is stored. Finally, it can also impact data storage and data protection in case data sovereignty laws apply.

Before implementing the necessary process and technical changes, tight coordination between technical & data compliance teams is essential. Clarity on data classification and legislation adherence is also crucial.

Monitor and Enforce

Once all the tools are in place, continuous monitoring of compliance requirements needs to take place. This will be done by using the tools implemented in the previous phase.

In this stage, data compliance officers and their area delegates are responsible for monitoring and reporting of compliance breaches, however data owners and their deputies are responsible and accountable for the remediation of identified problems.

Monitoring and enforcement of privacy compliance can be streamlined into business-as-usual operations by providing regular reports to data owners and compliance stakeholders. KPIs can be used to measure non-compliant states, remediation activities and times, and can be used to identify structural issues requiring attention.

Improve

Data compliance is an ongoing effort, because existing regulations are subject to changes, and new regulations may also be introduced. To meet these colossal challenges, organizations need to develop a culture of data privacy & protection.

The involvement of executive, C-Level stakeholders is essential to ensure data privacy & protection get the proper level of attention and responsiveness within the organization. The objective of these initiatives is to ensure all applications and business process embed privacy & data protection by default.

The organization should also coordinate on privacy & data protection with their 3^rd party suppliers and vendors to ensure end-to-end compliance with legal requirements and ensure a potential breach of privacy / compliance is not caused by a 3^rd party supplier. Options can be to reduce the data footprint that is exposed to 3^rd parties, or compliance policy alignment between organizations.

Data Compliance Tips & Takeaways

Implementing a data compliance program without organization-wide support and accountability will not bring the expected outcomes.

An effective data compliance strategy should include the following elements:

• Unequivocal tone-from-the-top messaging around the importance of protecting the company data assets, which also encompasses data privacy
• Clear instructions and guidelines for individual contributors, including mandatory, organization-wide trainings on data privacy & compliance
• The appointment of a Data Protection Officer responsible for organizational compliance & reporting responsibilities as well as adherence to impactful regulations
• The inclusion of data privacy & compliance topics to Board Audits / Risk Committees
• Linkage with existing infosec services & procedures, notably around potential data threats, breaches, and data leaks
• Linkage with existing hotlines or incident reporting services related to potential or suspected violations of data access, policies, and procedures

Wrapping Up

Developing and implementing a data compliance program is akin to a marathon: it requires consistent effort, discipline, and aiming at the end goal.

Organizations should un-silo, inventory and get to know their data. They should rely on solutions such as metadata management to implement smart, policy-driven data privacy / protection capabilities.

The process aspects should not be forgotten either, because data compliance goes way beyond IT infrastructure. It needs to transform into a consistent and holistic discipline that initially requires efforts across the entire organization while becoming a part of the organization’s tenets and culture, becoming seamlessly embedded into all activities and initiatives that relate to data.

Ultimately, a data compliance program enables better collaboration and provides better data identification and re-use opportunities, all while ensuring adherence to existing regulations, and better handling of customers and their personal / sensitive information.      

by Max Mortillaro