By Fouad Khalil, Vice President Compliance at SecurityScorecard
Privacy and the protection of people’s data is a serious issue for all businesses. Yet for those operating across international borders this has become a potential minefield. Anywhere you look globally, from the Americas to Europe, from Asia to Australia, there is some form of privacy regulation, law or legislation brewing or already enacted.
Failing to comply with such regulations can result in a hefty fine and negative reputational impact. With the unavoidable reality of having to adhere to so many different regulations designed primarily to protect personal data of citizens or residents regardless of geographical location, as well as being prepared for those in the future, what can businesses do to ensure continued compliance?
In this article I will explore various privacy regulations around the world and argue that the best way to cope with these is to create a continuous compliance model based on automation.
Data protection regulation around the world
The trendsetter for lawmakers wishing to enhance or create data protection regulations around the world is the EU General Data Protection Regulation (GDPR). When it was introduced, the GDPR expanded the rights of the consumer to control their privacy. This far reaching piece of EU legislation has implications for any business handling the data of any EU citizen or resident, introducing the concept of extraterritorial data regulation.
Elsewhere, 2018 saw the passing of the California Consumer Protection Act (CCPA), which has been dubbed the GDPR of the Americas. Being enforced from next year, the CCPA will, like the GDPR, also be applicable across territories. This means that any business that handles the data of California residents will have to abide by the CCPA. Other states are now following suit, with the likes of Washington State enacting their own privacy law.
The proposed New York Privacy Act is expected to be a lot more stringent than other data regulations around the globe. It creates a higher duty of care and translates data to property, as well as the need to identify breach risk in relation to embarrassment and impact on family life.
In Australia the government has updated the Privacy Act of 1988. This differs from other regulations as it looks at an “Australian link” to include expats, based on the owner/operator of data as being any Australian citizen, company or subsidiary. It incorporates “at risk” language to identify what needs to be in place to protect privacy. All parties that are “at risk” need to be notified, not just those who have had their data breached.
India is currently drafting a personal data protection bill. One of the measures proposed is to rate organisations on their compliance with the legislation using a data trust score. Such a scheme is already being used by many organisations to demonstrate to users their data trustworthiness. India will make it easier for consumers to access this information by publishing it online for all to see.
Ultimately, there are so many regulations to adhere to that it is better not to look at what’s in the scope of these data protection regulations, but rather look at what is not in them, as this is far easier to understand.
The common privacy denominator
Aside from protecting personal data and giving consumers more control over how their data is used, what do these regulations have in common?
For starters, they all have some form of extraterritorial reach. For example, the GDPR applies to all EU citizens and those living in the EU, wherever in the world their data is being kept.
They also include definitions of personal data that are more expansive than ever before. For instance, the GDPR refers explicitly to many different types of data such as location through to genetic identity but says that it should be interpreted as broadly as possible. The CCPA has 12 different categories of data.
All regulations highlight the importance of vendor risk management with the requirement for companies to mitigate the risk of third parties being the cause of a data breach. There has also been an increased focus on the need of the board of directors to have continuous oversight of all data processes.
With a greater emphasis on having the right policies and processes in place, we are likely to see fines being levied against companies under these regulations, not due to any data breach that has happened, but because they are not meeting their obligations.
Continuous compliance to minimise risk and cost
In the changing regulatory landscape, businesses must prepare for increased administrative activity such as audits to remain compliant, as well as meeting the requirements for board responsibility. This can be achieved by creating a continuous compliance program, which involves implementing policies, procedures, best practices, measurement and oversight. Specifically:
- Policies that are approved and communicated to relevant parties within an organisation are critical. These should not just be internally focussed, but should also highlight what external policies, laws and regulations the organisation needs to comply with to ensure all bases are covered.
- Creating the right procedures involves designating responsibilities and daily duties as well as assigning ownership of tasks.
- Best practices need to be followed for settings, programme configurations and dealing with third-party vendors.
- To ensure your data protection programme is mature and working well, you need to be able to measure it. This should be achieved through setting baselines and key performance indicators then testing your programme against these.
- Oversight is only possible if management is given the ability to detect anomalies, respond to changes and have true governance.
There is clearly the need to implement common controls such as web application, endpoint and network security to prevent threat actors from accessing data in the first place. It goes without saying that a patching cadence helps to ensure that cyber criminals are not able to exploit any vulnerabilities in software.
Finally, businesses should consider the automation of continuous control monitoring. This helps to reduce the amount of human error associated with manual processes. It will also help organisations to better cope with the continuous addition of assets to the system, which all need to be checked and monitored.
By implementing automation, you also move away from point-in-time compliance to maintaining continuous visibility across all environments.
As businesses expand to work with clients in other territories, they need to avoid drowning in a sea of regulatory compliance. With the proper planning, policies and procedures in place along with the right technologies, organisations can prevent themselves from being sunk by hefty regulatory fines.
About the author
Fouad Khalil is the VP Compliance at SecurityScorecard and responsible for compliance programs, auditor education and alignment with best practices. With experience in the technology space, SDLC, IT, program management and most recently IT Security and Compliance management, Khalil’s career path has provided him with keen insights in the areas of network, system and database administration, software programming and much more.