The public sector may not always make things easy, but privacy protection is a public good. Complicated laws and regulations governing privacy in various sectors and jurisdictions are now simply a business reality to be dealt with.
Data Privacy Day: Regulation and compliance.
In advance of this year's Data Privacy Day, we heard from business leaders about the impact of privacy law and regulation. It's not simple, and it's not easy, but it's something businesses can and must live with.
Privacy regulation and privacy compliance.
Troy Saunders, Chief Information Security Officer, CentralSquare Technologies, would like the public and public officials to remember the value governments find in data, and the importance of securing personal privacy as they use that information:
“As organizations collect and manage more data than ever before, data privacy regulations are becoming more critical to ensure citizen’s personally identifiable information is protected. It’s important to remember that access to data should not come at the expense of sacrificing data privacy and security.
“Data Privacy Week reminds us of the value of data to empower governments to make informed decisions and collaborate across jurisdictions and state lines. Whether it be through GDPR, HIPAA, FERMA, PPRA, or state and local data privacy and protection legislation, public and private sector organizations must work together to balance privacy, security and trust to build smarter and safer communities for the future.”
Stijn Christiaens, Founder and Chief Data Citizen at Collibra, sees the time as ripe to give privacy the importance business realities demand:
“Over the last two years we’ve had plenty of distractions, but the time is now to prioritize data privacy. Data has the power to help us make the right decisions, to grow, and to drive innovation. But great power comes with great responsibility: we need to make sure that the data we use is trusted, and that it is used in the right ways.
“Particularly as new legislative requirements emerge, businesses must look at compliance proactively instead of reactively to avoid reinventing the wheel each time. The data privacy discussion is often focused on checkboxes – just a tedious exercise to get to the “real” work. Within organizations, privacy processes are increasingly siloed between different teams that have a fragmented view of the real responsibility.
“It’s time for a shift, especially as consumers increasingly hold companies accountable for mishandling their privacy. We need to reframe the conversation around data privacy to be less complacent and more proactive, and we need to move faster to bring as many people as possible to the table to have a real impact. Invest in building sustainable processes now to be ahead of the market and the competition.”
Organizations will find no lack of laws and regulations to help them with privacy. Indeed, there tends to be too much help. Jurisdictions differ, and it can be difficult to know which laws apply, and when, and where. Keith Neilson, Technical Evangelist at CloudSphere, points out that US law itself can be confusing:
“In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data - like credit or health data, or specific populations - like children. Combine these regulations with the many different international laws that aim to ensure data privacy, such as GDPR, and compliance for companies with global operations becomes an extremely complex undertaking.
But confusion doesn’t confer absolution. As Christiaens put it:
“Data Privacy Day serves as a reminder that cyber asset management should be a top priority for every organization. Enterprises cannot ensure compliance and data security unless all assets are properly known, tagged, and mapped in the cloud. To avoid jeopardizing sensitive company or customer data, organizations must take the first step of cyber asset management to secure visibility of all cyber assets in their IT environment and understand connections between business services. This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.”
Brian Spanswick, Chief Information Security Officer and Head of IT at Cohesity, runs through some of the more significant privacy regulations:
“Data Privacy Week is a great reminder of the importance of protecting the privacy and security of data as well as meeting compliance and governance requirements such as GDPR, CCPA, and HIPAA. This starts with selecting a next-gen data management platform that can offer data protection, governance, and compliance on a single platform as part of an overall risk management strategy. These solutions need to be dramatically simplified so they can easily manage large complex data estates from a single UI and take advantage of AL/ML classification technology to help identify and manage sensitive data.”
Veronica Torres, Worldwide Privacy & Regulatory Counsel at Jumio, also sees a rapidly evolving, complex regulatory regime:
“During 2021, the United States had 23 states introduce comprehensive privacy legislation, and globally there were over 30 new data privacy laws or updates proposed. Data privacy is rapidly evolving, bringing new challenges and creating new expectations for consumers and enterprises worldwide. Companies have far more to lose than just their reputation when they mishandle personal information.
“Data Privacy Day serves as a reminder for consumers and organizations of the importance of evaluating where your personal information goes, how it is used and what safeguards should be in place. This is particularly important for organizations using sophisticated tools to fight fraud and leveraging authentication methods like artificial intelligence (AI) coupled with face-based biometrics. To provide transparency to their end-users, it's crucial that companies know what data will be collected and why, and who they are sharing it with.”
Mark Sangster, VP, Industry Security Strategy at eSentire, also sees daunting regulatory complexity, but for businesses that complexity is now simply part of the donné:
"The myriad data privacy laws are certainly creating a convoluted regulatory landscape and as a result causing an increase in operational efforts and costs – not to mention hefty fines. However, all these data privacy laws have one benefit: they force cybersecurity leaders, privacy experts, compliance judges and business leaders to come together. These laws do not fall, under the purview, of one group or the other. Business leaders need to think about cybersecurity as legal risk, and collaborate to align expertise, and practice coordinated operations – meaning each player knows their role and plays their position.
“Perhaps five years ago, these laws were more about local compliance and less about strategic infrastructure decisions. Now, with the digital distribution of data management and applications across the cloud, all applicable privacy laws become central to massive decisions about technology architecture and cloud-based service providers. For those SaaS providers, it's a legislation labyrinth that will easily defeat any leader using a spreadsheet as a string to find their way back out. And the penalties are crippling.
“So, where do security leaders start? It's much the same as their approach to cybersecurity: treat it like a business problem and not an IT issue. Before companies decide to expand their geographical footprint and begin marketing their goods and services to new countries and their citizens, or before they adopt cloud SaaS and IaaS services, they must collect and address all applicable laws of the new locale. While the business resides in a specific jurisdiction, and employees access consumer (citizen) data within the same jurisdiction, massive cloud providers operate with data centers across the globe, and how specific tenant data (the business) is stored and managed can be far more distributed and globally scattered than one might think. It becomes a central tenet of privacy laws, and even access for specific regulators. In many cases, privacy laws, like in healthcare, require specific data residency to remain within the home jurisdiction. Cloud providers must be versed in this requirement and provide suitable access and back-ups to meet compliance."
Paul Bischoff, privacy advocate at Comparitech, sees a clear role for policy:
“Data privacy is a serious issue that needs to be tackled at both policy and individual levels. Policy makers need to keep up with laws and regulations necessary to hold privacy abusers accountable and establish guidelines for data protection. Those abusers range from private corporations to law enforcement agencies.”