Elizabeth Schweyen, Senior Manager of Global Privacy and Compliance at Druva, discusses the complexity of compliance.
The challenges of managing any enterprise in modern times are multifaceted and complex. This particularly rings true with data protection. Businesses are generating millions of data points every day. In fact, it is estimated that the average human created 1.7 MB of data every second throughout 2020 and generates 1.145 trillion MB on a daily basis.
Take a moment and think about how much of this data is directly from businesses – a mind-boggling amount, right? What’s more, these statistics are only set to increase. For example, it is predicted that by 2021, data creation will reach a whopping 180 zettabytes. If you are not familiar with data volume measurements, I can confirm that this is a lot. Despite all of this data, it is an organisation’s responsibility to ensure it is protected and compliant.
An ever-changing compliance landscape
Yet, an evolving regulatory landscape has made it a challenge for organisations to maintain compliance. For example, not so long ago we remember the massive changes that came along with the UK’s Data Protection Act. Though introduced in 2018, the Act merged with the EU’s GDPR legislation and formed a new framework known as the UK GDPR. This became UK law in January 2021 as part of the withdrawal from the EU. Across the pond, we’ve seen the California Consumer Privacy Act (CCPA) go into effect and quickly be amended by the California Privacy Rights Act (CPRA). Colorado, Virginia, and Nevada have all passed their own privacy laws as well.
Despite ever-changing privacy laws, failure to comply will not only lead to damaged corporate reputations and lost business opportunities, but costly fines. Under GDPR for instance, administrative fines can reach 4 percent of annual global turnover, and more than that, recent research found that over the last year GDPR fines rose 40 percent, totaling $191.5 million.
The largest regulatory fines we’ve seen over the last few years show that organisations are falling short on transparency, and are not disclosing how they manage and collect their data. Google and H&M made waves for this, using data in a way that was not initially communicated to their customers and employees.
The impact of remote work
Adding to these challenges is the shifting work environment. As we all saw, the transition to remote work has been fast and furious for millions of businesses. Remote work has quickly become a preferred way of working, and employees have since called on their employers to put more permanent remote work policies in place so that they can continue this in their future.
Yet remote work comes with its own set of challenges. With an increased adoption of IoT device usage, cloud environments, and SaaS applications, everything in the enterprise has become decentralised. With this, data is now becoming much harder to keep track of. It also makes it incredibly difficult to fulfill a subject access request, since the list of possible data locations and owners becomes nearly infinite. This makes organisations more susceptible to violating privacy regulations.
To add more complexity to the situation, organisations are not only tasked with managing a plethora of company data, but also ensuring proper data hygiene related to COVID-19 health records and personally identified information (PII) when employees do come into the office. Systems should be put into place to set retention periods for this sensitive data and process inbound requests to remove it. Yet, such a process requires a tight integration between HR, security, privacy, and legal teams, and it’s quickly becoming a challenge for many.
The changing regulatory scene is one of the most common challenges faced by companies today – however it should be a launching point for a discussion about ensuring proper data hygiene.
Compliance and data protection equal good data management
Businesses must ensure that they are equipped to ensure compliance, regardless of the working location, conditions or environment.
Some of the best examples of this come from organisations in highly regulated industries, such finance or healthcare. These businesses are successful because they know what data they have at all times, where it is, and who has access to it. This is something all businesses can achieve with the correct strategy in place. Getting there can be broken down into five tasks:
- Task one – Create a data inventory: make a list of the types of personal data that your organisation collects across all avenues. This includes employee, customer, prospect, and vendor personal information.
- Task two – Audit how the business manages that data: determine how personal data collected by your organisation flows through the business, and pay particular attention to how that data is collected, processed and stored.
- Task three – Create a standard data management process: develop a process that centralises management while using distributed data storage because remote workers, personal devices and data residency laws make it impossible to store data in one data center.
- Task four – Leverage the power of the cloud: use the cloud to connect those various data sources. Once your data is saved to the cloud, you can then extract and enrich the metadata. Metadata enables companies to manage access control, search, and retrieve information across an organisation’s entire data landscape, while storing the data as inexpensively as possible.
- Task five – Last but not least, automate: by automating the right to be forgotten, the intense manual labour involved in searching through every record and piece of data associated with one individual is removed. This relieves organisations of the concerns associated with manual labour and mistakes.
- Data security and compliance: why prevention is better than cure
- 50% of companies are failing payment security compliance
- Security and compliance in the age of cloud-first working
- Mimecast cloud archive named best regulatory compliance solution at 2021 SC Awards
While none of us would have guessed such changes to our working practices would add more complexity to an already convoluted regulatory landscape, we need to ensure that it serves as a reminder of the opportunities that are now in front of us and to build trust with customers and employees in the future. Now is not the time to relax on data privacy. It’s time to support businesses in complying with them, in order to navigate this new landscape successfully.