- The rules governing how data should be stored, used, and shared can be overwhelming for resource-strapped cybersecurity and risk management departments.
- Since 2018, the year the European Union's General Data Protection Regulation (GDPR) when into effect, there has been a constant increase in these types of regulations.
- Thirty-five of the 50 U.S. states have at least considered data privacy regulation, and California's CCPA is set to become stricter.
Businesses, especially those in highly regulated sectors such as financial services, health care and government — and those that operate in multiple countries — are faced with a growing number of data privacy regulations.
These rules governing how data should be stored, used, and shared can be overwhelming for resource-strapped cybersecurity and risk management departments, which is why organizations need to take steps to better manage their compliance operations.
Since 2018, the year the European Union's General Data Protection Regulation (GDPR) when into effect, there has been a constant increase in these types of regulations, said Enza Iannopollo, principal analyst at Forrester Research.
"Our research counts about 100 countries around the world that have some form of data privacy or security rules in place," Iannopollo said. "Arguably, these rules have also become more stringent."
In the EU, rules about artificial intelligence and data governance currently in the works also contain requirements that impact how personal information is collected, processed, and shared.
U.S. law and regulation
Several U.S. states, most notably California with its California Consumer Privacy Act (CCPA), have enacted privacy laws. "Thirty-five of the 50 U.S. states have at least considered data privacy regulation," said Ryan O'Leary, research director, privacy and legal technology at research firm International Data Corp.
New expected modifications to the CCPA give California more enforcement power through a separate state agency and ends an employee exemption, O'Leary said. "Previously, under CCPA employee data was exempted from being subject to data rights requests," he said. "This will no longer be the case soon."
The most prominent regulation now, the American Data Privacy and Protection Act, has the attention of most of the privacy world but is looking less likely to pass Congress, O'Leary said. And if it does not, that "will leave a vacuum at the federal level and continue to allow states to create patchwork regulatory environment with no federal floor," he said.
4.2 zettabytes of data, and growing
The compliance challenge continues to grow with the rise of digital business. "As of 2020, there was 4.2 zettabytes of data stored per year globally," O'Leary said. "This volume continues to expand and previously, many enterprises thought data was valuable and tried to gobble up as much of it as possible. However, that data now contains a significant amount of risk and the volume of it is overwhelming."
Data that's part of expanding global business also adds to the challenge. "For organizations that operate across geographies, the challenge of defining a comprehensive approach to privacy compliance is particularly relevant," Iannopollo said.
GDPR and the EU Court of Justice "have essentially ruled that transferring EU data to the U.S. without significant safeguards is not allowed," O'Leary said. "There will be significant diplomacy [needed] before data transfers can begin to occur without stringent uplift on the part of corporations. These regulations are extremely detailed and there is no clear stakeholder yet. Is it controlled by security? IT? Legal? Compliance? The answer right now is yes. All of them have a stake."
'Cleaning out the data closet'
The issue of concern for compliance efforts is not just the volume of regulations, but the lack of uniformity within the regulations, O'Leary said. As a result, he said, there are a number of things compliance teams need to consider when assessing their compliance needs.
This includes knowing which laws apply to the organization, what its risk appetite is compared with the cost of being compliant, and how it can best build out a comprehensive compliance program.
"Organizations must identify the data that falls within the scope of the rules," Iannopollo said. "Data discovery and classification are fundamental here. In fact, organizations must know which data they have to protect and where the data is. This is simply said, but complex to do in practice. This is a crucial step to building solid privacy programs."
Companies must also build multi-functional teams that include legal expertise as well as security and IT experts, Iannopollo said.
Another approach to consider, although it might be counterintuitive for many businesses, is cutting back data volumes. "The suggestion I always have is data minimization," O'Leary said. "There is no need to over-collect data — it is risky and reckless. You need to clean out your data closet. You need to know as best you can where everything is and who is accessing it and using it."
Along with the focus on data minimization, organizations should enhance their abilities in data discovery and mapping, O'Leary said. "There are a significant number of technology partners and service providers that have immense expertise and can help you get a handle on it," he said.