Much has changed due to the Covid-19 crisis. But one thing that’s remained unchanged is the California Attorney General’s plan to begin enforcing the California Consumer Privacy Act (CCPA) on July 1. With everything business leaders have to worry about right now, CCPA regulations can easily become an afterthought. After all, why worry about data…
As data privacy laws proliferate, compliance becomes a bigger and more complicated priority for organizations across the globe. That burden is especially heavy for those that deal with particularly sensitive or coveted types of data, like financial information and healthcare data. In many cases, complying with certain data privacy laws requires a tremendous amount of monetary and human capital.
But there are tools and proven strategies that can help, and ADCG has compiled the following non-exhausting list of some of the best privacy compliance technologies, tools, and tactics being utilized in the market today.
Compliance with some regulatory schemes can be difficult for organizations to achieve without proper guidance, such as use of a compliance framework. This is especially true where organizations service more than one geographic area, or where they provide numerous goods or services to the market. For example, an organization which services both the European Union and the United States will have different regulatory schemes to comply with as the European Union requires compliance with the General Data Protection Regulation (GDPR), whereas the United States does not. This regulatory juxtaposition can result in confusion or inconsistencies throughout the organization which could be remedied by use of a compliance framework that accounts for both regulatory schemes.
Even if an organization believes that they can satisfy compliance expectations without outside guidance, compliance frameworks may assist in ensuring consumers are comfortable utilizing your organization’s services because compliance with the requirements of these frameworks will ensure that their consumer data is safeguarded by the organization.
In addition, utilizing cybersecurity frameworks can provide economic benefit to your organization. According to a report released by the Armed Forces Communications and Electronics Association (AFCEA), the “implementation of a comprehensive baseline of security controls that address threats that are of low to moderate sophistication is essential and is economically beneficial.”
Below are two information security frameworks that could be utilized by your organization:
- In the United Kingdom, the National Cyber Security Centre offers a Cyber Essentials certification course, which provides users with two levels of a “Government-backed scheme that will help you to protect your organization, whatever its size, against a whole range of the most common cyber-attacks.”
- ISO/IEC 27001 provides a framework for an organization to modernize and optimize their information security management systems (ISMS) to better “manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.”
Going Beyond the Compliance Requirements
Although these compliance frameworks can be useful in assisting organizations in meeting the basic regulatory requirements and expectations, organizations should consider investing in a cybersecurity operation that goes beyond compliance. As the World Economic Forum describes, “within organizations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations.”
For example, certain regulatory expectations may require multi-factor authentication and access management be employed to protect privileged or sensitive information. However, many organizations fail to go beyond this level of protection, which leaves the remainder of their organization vulnerable to the possibility of threat actors gaining access to this protected information through non-protected points of access.
Instead of just a compliance goal, organizations should view cybersecurity as a “value add,” and allocate company funds toward cybersecurity projects that are not solely based on regulatory requirements. Here are some ways to do that:
Maintain Sufficient Data Management Systems
According to an article released by Innovation & Tech Today on April 18, 2022, global data volume is expected to triple in Zettabytes between 2020 and 2025. With this large increase in data being generated, exchanged, and stored each day, information system administrators are “being forced to find more efficient and innovative means to deal with the influx.”
The article notes that over the last five years many organizations have implemented “real-time, hybrid multi-cloud, multi-model, and relational databases” that rely on “advanced compression algorithms.” The use of these automation systems permits organizations to increase the storage capacity of their systems, utilize more advanced encryption, and more easily store data in a manner that’s compliant with privacy laws. This last component is commonly referred to as data privacy automation, which according to this article, “is an autonomous privacy management construct that ties together discovery, cataloging, access and data loss prevention (DLP) and makes the right (sensitive) identity-centric data available to the right people and teams.”
Establish an Information Governance Committee
Lastly, as your organization continues to evolve its cybersecurity and data management policies and procedures, it should consider the benefits of establishing an information governance committee. These committees are a way to dedicate time and resources to cross-organizational data security efforts. Having a team focused on the information collected, stored and transmitted helps to mitigate risk.
These committees may include an organization’s stakeholders, such as members of your legal, compliance, data security and management, and analytics teams.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: Connecticut’s Data Privacy Bill advances, which excludes Financial Institutions; US Commerce Department announces the creation of a Data Transfer Forum;Intelligence Agencies Flag Russian organizations against malicious Russian cyber activity; and Kentucky adopts NAIC Model Law for Insurance, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.