The Compliance Landscape
Only those hiding from the news, prospects, and customers can miss the data security and privacy challenges that are occurring. More businesses are relying on data analytics (garnered from data collection) for more and improved service and product offerings. More individuals want data privacy and security. More nations want their citizens protected from corporate tactics that rely on mining and scraping personal data. More customers want tailored experiences that only come through data analytics. These, often conflicting desires, bring us back to the origins of the reasons for collecting data.
This ever-changing landscape has created a raft of writings that have tended to muddle what the real issues are – in short, keeping peoples’ data secure and private – and have brought forth a new era of the need for data expertise. How can one make sense of it all?
Current considerations – Standards, Revisions, and New Regulations
Perhaps the primary guideline for attaining privacy is the GDPR. Compared to other regulations, GDPR has pretty much set the most stringent standard. All others I can think of are, in a sense, partial-GDPR, e.g., CCPA/CPRA or GDPR+ with some relevant jurisdictional additions, such as those of Germany’s BDSG.
A couple of compliance standards to note - ones that had recent deadlines - are the Standard Contractual Clauses (SCCs), and Virginia’s Consumer Protection Data Act (VCDPA). VCDPA stands as a recent addition to the growing list of USA regulations.
The SCCs are important because, while they have been around for some time, they have replaced the deprecated Privacy Shield (which is under revision, with nothing determined as of this writing), so anyone doing business with EU-based businesses need to take heed.
An example of a revision is the California Privacy Rights Act (CPRA), which amended California’s Consumer Privacy Act (CCPA).
But how does anyone attain compliance with these and other regulations and standards?
While looking at solving corporate data compliance needs, there are at least three interconnected components to consider: data compliance, data quality, and data governance. Compliance must include data quality because, not all data needs to be included, and the data that needs protection should meet the quality standards set by the organization. Governance is required because someone needs to be responsible and accountable for the compliance, privacy, and security programs.
Knowing one’s “why” in seeking compliance is vital. Often for business, compliance is a competitive advantage. (One day it might not be so advantageous as more companies attain various compliance attestations. Perhaps the largest inhibitor at this point in time is cost, where the average attestation can cost around $20,000). For marketing departments, compliance enhances reputation. For security and privacy professionals, compliance means saving their company from exorbitant fines. For the C-Suite, it can serve as a good public relations example of the organization’s commitment to regulatory compliance.
These are just a few potential, yet simplified reasons, but one needs to take notice that each company can have multiple driving “whys” for seeking compliance. And an important factor in all of this is internal communication between stakeholders.
This need for communication leads to the next set of points, which is the well-known PPT model – People, Processes, and Technology.
The People, Processes and Technology Model
Beyond the general principle of keeping personal data private and secure are some specifics about what’s needed internally.
An organization needs someone who has compliance experience, if not expertise. When stuck with the problem of “we don’t have anybody who knows!”, there’s training available. There’s plenty of training available, but often no one currently in-house has experience, or someone on the way to it, is accompanied by a lack of budget for training.
Another action is to appoint a Data Protection Officer (DPO). This doesn’t necessarily have to be a heavy lift (depending on your industry, location, and company size), but there needs to be someone who is in-the-know, in charge, held responsible, and who will be the primary point of contact.
Everyone in an organization needs role-appropriate data privacy and security training. Maybe Sales doesn’t need to know the full details of the SDLC, but knowing what to tell to customers about the encryption used and keeping passers-by from shoulder surfing is appropriate.
Whether in-house or outsourced, legal counsel is necessary to navigate both the current and upcoming compliance landscape.
The internal audit is a cornerstone of compliance because it includes tasks such as interdepartmental collaboration, program monitoring, training requirements, and budgetary considerations.
Develop, implement, and regularly review policies and procedures for protecting personal data, including security measures to prevent unauthorized access, use, or disclosure.
Know what to do when an incident occurs. Foundational to this is knowing internally how to classify events, whether they’re called incidents, occurrences, events of interest, or breaches; whatever the nomenclature, be able to reference them properly.
If these previous two factors aren’t in place, technology will simply make an expensive and faster mess of things. “Garbage in, garbage out” + technology will produce exponentially faster garbage. Bruce Schneier said, "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."
Typically, there are no requirements for specific vendors. What’s important is that roles, processes, and controls are in place, verifiable, and in use.
Maintaining compliance is largely about keeping track of all the details that one performed when obtaining compliance. It’s the least fun part of it all, but it’s the most necessary. The most important aspects to maintaining compliance are: putting details in place, communicating, monitoring, and revising as needed.
Compliance is best maintained with the lessons learned when attaining the original goal.
Build a Good Foundation
Have the proper attitude. There’s likely going to be a variance between what the business wants (often it’s “every bit of data that could possibly be collected”), versus the security, privacy, and compliance needs of both regulations and customers. The general guidelines are:
- Only collect what is absolutely essential to business;
- Whatever is collected needs to have a documented business purpose; and
- Data collection should only occur with documented customer consent.
This will lead to frequent, and sometimes prolonged, discussions, but data privacy is a weighty issue requiring a solid policy and decision-making foundation.
Keep an eye out
No one knows what the future holds, but as predicted a few years ago, regulations around the world are only increasing.
Fortunately, it takes a lot of effort and a fairly long time for changes or new regulations to take effect, and, so far, ample time is given for public review of both changes and expected implementation. The sooner an organization adopts a solid stance of data privacy and compliance, the better off that organization is with designing and implementing the requisite controls.
There is so much more to write about. Find a trusted advisor and take the next step to make 2023 your year of data compliance.
About the Author:
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.