By
Stephen Cavey, co-founder and chief evangelist of Ground Labs
Maybe the "terrible twos" are not as bad as we
thought. The General Data Protection Regulation (GDPR) is about to enter its third year in
effect. Since its relatively recent inception, the GDPR has become the gold standard
of comprehensive compliance laws.
The GDPR has undoubtedly had its coming of age
since it replaced outdated data compliance laws previously enforced in the
European Union, such as the 1995 Data Protection Directive. The 2018 GDPR
enforcement was a timely update given that only about .5% of the world's population was accessing the internet
in 1990 compared to 76% in 2015. Unquestionably, as the internet,
big tech, and consumer awareness about data evolve, so will the GDPR and
attention to consumer privacy in general.
How GDPR stacks up against other
compliance regulations
The GDPR has inspired the world to take
consumer data protection seriously. The guidelines- dense with 11 chapters and 91
articles-apply to any enterprise inside
the European Economic Areas (EEA) and businesses that offer services or
products to EU citizens which include
businesses that exist outside of the
EEA. The law calls for consumers to have autonomy over their personal
information, like asking controllers to erase data under specific
circumstances. The GDPR also holds companies accountable for disclosing when a
data breach has occurred and to pay penalties for violations.
Countries such as Brazil (LGPD), Thailand (PDPA), and recently China (the "Draft" or Personal Information Protection Law)
have or are in the process of mimicking the law for their own citizens' best
interest.
The GDPR has also influenced the adoption of
comprehensive compliance laws in the United States. So far, California's CCPA and Virginia's CDPA are the only states with comprehensive
legislation that have been enacted as enforceable laws. However, it is only a
matter of time before the U.S. must evaluate if a patchwork of state laws is as
meaningful and intuitive as one all-encompassing U.S. compliance law similar to
GDPR.
Data hygiene challenges in the new
hybrid work environment
Currently, as employees
are emerging from a remote work period and organizations begin to reintroduce
employees back to the office, there is greater security risk caused by the
increased surface area of sensitive data across employee endpoint systems. Many
employees have been remote for over a year now, but business has never stopped.
Employees continued and
will continue to handle sensitive or personal information daily in varying forms. The challenge that businesses
now face is locating and verifying the security of this data-saved across local folders on workstations and laptops,
hidden, temporary and private folders, cloud folders and shared via email and
messenger apps. This data could be hiding virtually anywhere. This issue is
exacerbated as organizations and their partners lean into hybrid remote work as
a long-term operating model, which is why for organizations located in the US
or anywhere else that handle the data of EU citizens, GDPR compliance must be
taken seriously and given a strong focus as your organization makes plans to
readjust its work environment.
2020 has illustrated that success hinges on a
proper data management strategy that prioritizes security through protocols and
processes that are flexible enough to pivot and survive even the most abrupt
changes.
Organizations must stay in lockstep
with GDPR
Privacy regulations like GDPR have increased
transparency and give consumers the ability to opt-out of data sharing
policies, but as the regulations grow in scale and complexity,
organizations are exploring ways to meet these requirements without hindering
business success. Forward-thinking organizations are installing solutions and
processes to address the increased requirements around the handling and storage
of personal data each of these laws bring.
Most countries are in the process of implementing
modern data privacy laws primarily in response to the poor data security and
privacy practices of the many companies that have collected, sold, or exploited
consumer data. We are entering into a regulation era that will be heavily
focused on privacy rights for individuals, and organizations that collect and
use this data will need to set aside a budget specific to ongoing compliance
efforts.
Organizations must rethink their entire
strategy around the collection, storage, and security of personal information,
and take into account that the privacy regulations which apply are not based on
the country where a company is located, but rather, the countries where an
individual's data is located.
Modern business practices must be adjusted to keep pace with data compliance expectations.
Compliance with such requirements will require a completely different approach
to how data security and data privacy are managed.
Whether your company is compliant with GDPR,
or is working towards improving data compliance and security infrastructure, it
is never too late to begin a regular cadence of ongoing data discovery scans-
one of the most critical approaches to establishing a baseline of all personal
data across to the business so that correct safeguards can then be applied to
the systems and storage locations that are most at risk.
To build an effective data discovery strategy,
businesses must take all previous assumptions off the table regarding where it
believed personal data was stored and handled, and re-establish this knowledge
using a ground-up and greenfield approach. From here an organization can
continue to stay up-to-date with compliance regulations and prioritize data
security based on real evidence that's being regularly produced by data
discovery before a breach occurs.
##
About the Author
Stephen Cavey, Co-Founder and Chief
Evangelist at Ground Labs
Stephen Cavey is a co-founder of Ground
Labs, leading a global team empowering its customers to discover, identify and
secure sensitive data across their organizations. As the Chief Evangelist, he
leads its worldwide product development, sales and marketing and business
operations and was instrumental in extending Ground Labs' presence with
enterprise customers. Stephen has deep security domain expertise with a focus
on electronic payments and data security compliance. He is a frequent speaker
at industry events on topics related to data security, risk mitigation and cybersecurity
trends and futures. He started Ground Labs after holding engineering and
leadership positions at Paycorp Holdings (now part of MYOB), a provider of
integrated electronic payments solutions and Webpay, a payment services
provider later acquired by Fidelity.