Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
How Brexit could shape the future of data compliance
By Stephen Cavey, Co-Founder and Chief
Evangelist, Ground
Labs
On January 31, 2020, the United Kingdom
severed connections as a member of the European Union after 47 years. While
discussions have taken place around how the two will address trade, travel, and
cooperation on many issues including vaccines, there have yet to be clear
distinctions on how British data governance laws will evolve based on the
existing UK GDPR.
The GDPR as a gold standard
The GDPR is seen as the gold standard of
compliance laws. Since GDPR's rollout in 2018, the regulation has had a global
impact on data privacy and security, catalyzing similar efforts from other
countries such as South Africa and China. These
regulations have effectively increased transparency, empowered consumers with
the ability to opt-out of data sharing policies, and held businesses
accountable for the sensitive data they collect and manage.
In the 2020 National Data Strategy, the UK's Digital
Secretary, Oliver Dowden, said moving forward, he hopes national data
governance is "not overly burdensome for smaller businesses" and "supports
responsible innovation." The UK has therefore been attempting to lead the way
in creating a common-sense data privacy regulation, which could broadly impact
the evolution of future national laws.
Keeping the adequacy rule
Although the application of the GDPR holds
overall net benefits to consumers, some businesses solely consider it a
nice-to-have addition to their data protection strategy while others have
simply found it difficult to fully comply with. On average, only 28% of businesses believe they are fully GDPR
compliant. In the U.S., 35% of businesses believe they are compliant, and 33%
do in the UK.
If the UK is able to find a simplified
approach to implementing national privacy legislation whilst maintaining adequacy with the EU GDPR laws, we could
foresee a future where other countries will consider developing similar
approaches to data privacy that are less tedious than the GDPR and easier for
companies to follow and meet. This would allow businesses to be more
streamlined as they consider the data they store and process for
decision-making and delivery of products and services.
To support its rationale for proposing
changes, the UK government published its study which included a list of expected outcomes to highlight potential
efficiency and cost reductions to business in a quantitative manner as a result
of adopting a revised approach as well as impacts to trade and other factors.
It found that the direct financial impact on UK businesses should adequacy not
be maintained, is approximately £1.4 billion over five years. It is therefore a
critical goal for the UK to strike a balance between simplifying data privacy
compliance burdens on business whilst maintaining adequacy status with the
GDPR.
Steps to protect data
We see data breaches monopolize news headlines
regularly. In many cases, breaches happen to companies that did everything in
their power to prevent a data breach, like complying with data privacy laws.
For example, in 2013, Target stated that it was in compliance with PCI DSS
- despite this, hackers still found a way to deploy malware into its networks
and the industry has since argued the validity of this previously made claim.
The fact is, following rules and ticking boxes
is not the same as practicing good data hygiene. And when it comes to keeping
data safe, the bare minimum is not enough. Regardless of how legislation in
Britain changes, businesses can deploy some fundamental strategies now to
better protect private information.
The first of these strategies is knowing where
all data resides - a process called data discovery. Having an understanding of
where data lives enables businesses to look at their workflows, adjust where
needed and minimize potential risk to the company. The
best approach to data discovery is to schedule a regular cadence of ongoing
scans, covering every endpoint to validate clean and secure data storage and
handling practices.
Secondly, businesses must invest in a champion
of data compliance measures. This could take the form of a CISO, virtual CISO
(vCISO), chief data officer or alike. Strong CISOs act beyond reactive defense
and implement a proactive data discovery strategy to become a trusted advisor
to the business.
Although an experienced data officer is
integral for a robust data privacy plan, ensuring that employees are trained in
privacy is equally critical. Often, employees are the gatekeepers between
consumers and malicious actors. To this point, 73% of organizations have experienced a
serious data breach caused by phishing in 2021 - highlighting how important it
is for employees to be aware of their responsible data handling.
Looking ahead
The end goal for the UK, as Dowden has
expressed, is to diverge from the EU's protection expectation and reform
British privacy laws so that they are based on "common sense, not box-ticking."
As the UK begins solidifying these strategies and regulations, we can expect
the rest of the world will be watching closely to see how they may also help
businesses and regulators work in harmony to uphold consumer privacy.
##
ABOUT THE AUTHOR
Stephen Cavey, Co-Founder and Chief
Evangelist, Ground Labs
As Ground Labs co-founder, Stephen Cavey
leads a global team empowering enterprise partners to discover, manage and
secure sensitive data across their organizations.
Stephen has deep security domain expertise
with a focus on electronic payments and data security compliance. He is a
frequent speaker at industry events such as PrivSec Global, and his expert
analysis has been featured in media outlets including the Financial Times,
Entrepreneur, SiliconANGLE, among others. He is also a member of the Entrepreneur
Leadership Network and Forbes Technology Council.
Prior to Ground Labs, Stephen held
leadership positions at Paycorp, an integrated electronic payments solution
provider owned by KKR. Stephen also served in engineering roles with Webpay, a
payment services provider later acquired by Fidelity, and Webtel, an early
Australian ISP.