Over the past couple of years, we’ve seen rapid changes in the field of data privacy and security regulations. This started with the GDPR, but this particular piece of legislation won’t be the last one the industry faces. For example, the CCPA went into effect on January 1, 2020, and the New York governor signed the “SHIELD Act” in 2019, which added new data security requirements that all businesses handling New Yorkers’ data must follow. Meanwhile, international governments all over the world are passing or considering heavier regulations on how companies collect, store, and process customer data.
Related: Data Privacy Compliance Pitfalls to Watch Out For
Privacy laws: Past and current
Data privacy compliance is the line between legal and illegal use of data. The laws and regulations surrounding it are in place to protect consumers by ensuring the safety of their data. Below is a sample of notable privacy laws developed by EU and U.S. lawmakers.
- The EU’s Data Protection Directive was put in place in 1995 to protect the security and privacy of personal data. Organizations must consider the data protection rules when an EU citizen’s personal data gets exchanged or collected for processing.
- The General Data Protection Regulation (GDPR) was approved in 2016 to replace the previously mentioned directive. It sets critical guidelines for processing and collecting the personal information of EU citizens and residents.
- The Stop Hacks and Improve Electronic Data Security Act (SHIELD) made some fundamental changes to New York’s cybersecurity laws to better protect personal data from breaches.
- The California Consumer Privacy Act (CCPA) of 2020 prevents unauthorized access to personally identifiable information.
New privacy regulations are being put into effect rapidly all over the world. Organizations need to understand how these regulations affect the way they operate and take measures to ensure compliance to avoid hefty fines and protect their employees, clients, and brand reputation.
Privacy compliance challenges
These data privacy laws have presented a myriad of challenges for data privacy and data protection professionals. For instance, many organizations have seen a surge in the number of data subject access requests (DSARs) from individuals during the COVID-19 pandemic. Protecting data from theft and unauthorized access also became more complicated when employees shifted to working remotely en masse.
Key steps for maintaining data privacy compliance
One of the most important steps you can make to strengthen your data protection compliance effort is to hire a data protection officer – someone with privacy domain expertise and the operational chops to work effectively with key stakeholders across the organization to stand up for data protection policies, procedures, technological safeguards, and employee education programs.
What is a Data Protection Officer (DPO)?
Data protection officers have a big job to do. If a DPO works for a company that the GDPR covers, they are required to perform the following tasks, per GDPR requirements:
- Train their organization’s employees on GDPR compliance requirements and other relevant data privacy regulations
- Conduct regular assessments and audits to ensure GDPR compliance.
- Serve as the point of contact between the company and the relevant supervisory authority.
- Maintain records of all data processing activities conducted by the company.
- Respond to data subjects to inform them about how their personal data is being used and what measures the company has put in place to protect their data.
- Ensure that data subjects’ requests to see copies of their personal data or to have their personal data erased are fulfilled or receive a response.
The duties above broadly cover many responsibilities of a DPO, but each has many smaller duties that come with it. For example, to facilitate training employees on compliance requirements, the DPO will need to create training materials, develop or revise the employee handbook, work with managers to develop training schedules for their team, and conduct training with anyone responsible for compliance activities.
Your DPO will need to have strong working relationships with your IT department, security team, and executives. In addition, they will need to enforce your company’s compliance policies and hold employees accountable to them. Your DPO needs to partner with your security team.
Why are data protection officers a necessity?
Data protection and privacy professionals have become hot commodities in the business world as legislators and consumers increasingly call for stronger data protection. In fact, organizations that must adhere to the GDPR are legally required to have full-time data protection officers on staff.
According to the employment site Indeed.com, the number of openings with the terms “data privacy” or “data protection” in their titles has increased 75% over the past four years. The need for data protection officers (DPOs) is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, and healthcare.
Many DPOs feel they’re not supported by management
Once you hire a DPO, it is crucial that they have the support of senior management and resources to effectively do their job. According to the GDPR website, almost a quarter of data compliance officers surveyed said the biggest challenge they faced was a lack of resources, and 13 percent of those surveyed said they didn’t have management support. This lack of resources and support is further evidenced by budgets that show that almost half of the organizations surveyed spent less than 5 percent of their annual risk and compliance budgets on data protection activities!
A lack of management support and access to resources makes a data protection officer’s job more difficult and makes it more likely that your business will face data breaches, fail audits, and suffer the consequences of not prioritizing information security and privacy.
Providing your data protection officer with the resources they need, whether it’s compliance management software, additional human resources, or a budget for outside experts to perform an audit, will empower them to build an efficient and effective compliance program. It might be concerning to spend this kind of money without an easily quantifiable return on investment. Still, data security and privacy are priceless and will save your company from losing even more money and suffering reputational damage.
Other than hiring a DPO to cover applicable regulations in your jurisdiction, there are some additional steps you can take to set up a systematic data privacy compliance effort for your enterprise. Below are the key steps organizations should follow.
Data protection principles and purposes
Other than adhering to the applicable privacy regulations in your jurisdictions, a large part of any data protection strategy is about ensuring that data can easily and quickly get restored after any breach or loss. Thus, protecting data from loss and having the ability to back-up data are the other essential components of data protection.
The fundamental principles of data protection are safeguarding and making certain data available under all circumstances. Data protection describes business continuity and disaster recovery along with the operational backup of data. There are two evolving lines of data protection: data management and data availability.
Setting up a good framework that enhances data protection and privacy for your employees and clients includes:
1. An overall privacy risk management strategy
Many companies don’t have an integrated, comprehensive strategy to achieve data protection and privacy compliance. For an overall system to work efficiently, organizations need all key stakeholders to be represented and implement a unifying approach and set of principles that define how it will respect personal data in the way described by all applicable regulations. Effective privacy risk management can help you build trust in your products and services, communicate better about your privacy practices, and meet your compliance obligations.
The good news is that you can leverage existing privacy frameworks. For instance, the National Institute of Standards and Technology has developed a Privacy Framework, a flexible framework with a set of recommended activities organizations can implement to manage privacy risks from data processing.
Use the NIST Privacy Framework to Stand-up an Enterprise-Wide Data Privacy Program.
2. Data protection compliance SMEs
Employing data protection compliance subject matter experts (SMEs) is almost a necessity these days—no one is an expert on every aspect of different compliance regulations. Assigning SMEs to develop compliance strategies for specific regulations (like GDPR) is one option that helps enterprises facilitate compliance by ensuring a single source of expertise when it comes to developing and putting into place compliance policies and practices.
3. Taking inventory of systems and assessing where you have PII
Organizations must identify and tag all personally identifiable information (PII) and sensitive personal information when it gets collected and provide a way to track it. Doing this helps you locate and protect personal data and stay compliant with recommended and legal standards.
4. Establishing policies, procedures, and technical safeguards
Organizations that are compliant with privacy regulations typically provide solid technical and physical security safeguards that help ensure the integrity and availability of their data, including the ability to detect and prevent any unauthorized access of that data. Businesses should constantly assess and update their IT measures to remain compliant and tackle any new threats, and data sharing must have its own set of controls and procedures.
5. Formulating an incident response plan
Even companies that fully adhere to data privacy regulations aren’t 100% secure. As data protection technologies evolve, so do cyberattack schemes. Organizations can mitigate the damage of an intrusion by having an effective data breach response strategy and an escalation plan. Employees who are responsible for this response should get trained on every aspect of these plans and how to use escalation channels. Corrective actions identified by the response process should be implemented and documented as preventive measures against future breaches.
6. Documenting security and privacy compliance activities
Most organizations can benefit from documenting their compliance activities more consistently, so they’re ready to present those documents for any internal or external inquiry. Although you can use general-purpose file storage/content management systems to house and track your compliance documents, reports, and records, it’s much more effective to leverage a purpose-built compliance software platform that allows easy mapping of documents to specific compliance activities and document re-use.
7. Retaining records or proof of compliance
Simply knowing that your organization is compliant with data privacy regulations is not enough. As mentioned above, you must have the ability to provide proof of your conformance for any inquiries. Compliance needs to be verifiable and accessible through various reports and documentation. Your company also should have a proven process to report non-compliance and a defined escalation path that adheres to the data privacy laws covering your jurisdictions.
What should be in your data protection budget?
At its core, the data protection officer role is all about having someone dedicated to ensuring that your data protection strategy is robust and working. There are two core parts to a data protection strategy: security and privacy.
Data security is focused on protecting assets from unauthorized use, while data privacy defines who has authorized access. Think of data privacy as the regulations or policies that govern the use of your data when shared with any entity. On the other hand, data security is the mechanism — that is, the tools and procedures — to enforce the policy and regulation. Companies need to have tools and processes to make sure the level of privacy their users have set is implemented and their data is protected.
So, in addition to having a dedicated data compliance officer, your company should allocate a sufficient budget to data security and privacy management tools. Some of the tools you can implement to assist in your data protection efforts include the items below. They fall into three categories of tools, all of which are necessary to adequately mitigate the security and privacy risks that may disrupt your business and damage your reputation.
1. Privacy management software
Regulations such as the GDPR have made the job of ensuring privacy compliance a greater challenge than ever before. Privacy management software helps you automate complex or high volumes of privacy management activities. This includes data mapping and inventory, enterprise assessments, privacy impact assessments, and responding to consumer requests. Privacy software may also help you respond to breaches, set policies, and more. This automation ensures these tasks can be done efficiently and properly and frees your data compliance officer up for other activities.
The type of software is especially useful if your organization 1) deals with a large volume of privacy management activities or 2) has complicated business processes (e.g., varied types of processing activities, multiple locations, etc.).
2. Security software
The security market is vast, fast-growing, and expected to reach $38.2 Bn by 2026. The tools in the security software market are gaining more grip among organizations of all sizes as they are helping protect business-critical information from unauthorized access and data breaches. It contains solutions that deal with web security, data protection, email security, compliance, identity, access, encryption, vulnerability scanning, endpoint monitoring, messaging security, and others.
Given the evolving nature of cyber threats, there isn’t a single “all-in-one” tool that protects your data assets from threats. Rather, it’s important to build a strong, foundational information security policy and take a layered/stacked approach that fits your specific security and business objectives. Here are some key software categories within the larger market.
Event log manager and change management software: Event log management software records each time someone changes or interacts with confidential data so that your data compliance officer can ensure confidential data is only being accessed by the right people and that access to that information isn’t abused.
Data loss prevention (DLP) technology: DLP software programs ensure that sensitive data in your possession isn’t lost, misused, or accessed by anyone who shouldn’t be able to access it. It allows you to classify different levels of data and notifies you when one of your organization’s policies is violated.
Privacy management software: Privacy management software helps you automate complex or high volumes of privacy management activities. This includes data mapping and inventory, enterprise assessments, and privacy impact assessments. This automation ensures they’re being done efficiently and properly and frees your data compliance officer up for other activities.
Identity and Access Management (IAM)/Single Sign-On (SSO): IAM software allows you to dictate who has access to what information and locks down confidential or sensitive data. It often works in tandem with single sign-on software, which provides user authentication and enables users to access multiple services with one set of credentials.
Application security platform: Application security platforms help businesses find vulnerabilities in their applications and platforms so that they can address them and prevent them in the future. They can often be used throughout the entire lifecycle of an application to help make sure vulnerabilities are caught and addressed early on.
Email security solution: A lot of information is sent through internal and external emails, and a robust email security solution allows you to keep your emails safe through email encryption, spam filters, virus scanners, and strong password requirements.
Vulnerability assessment solutions: Just like the name implies, a vulnerability assessment solution works on your company’s system to find any vulnerabilities that there might be in your system’s security so that you can address them before they allow someone to access your data.
In addition to budgeting for these tools, you should be dedicating some of your budget to data security and awareness training for your employees. All of your employees should have training on things like spam and phishing emails, physical information security, and strong passwords.
In addition, your employees who handle confidential information should receive regular training on the proper storage, access, and handling of that information.
3. Compliance Operations Software
This type of software is emerging on the market. Compliance Ops software isn’t designed with any specific regulation in mind (e.g., GDPR). Instead, it’s designed to help data protection and compliance professionals track and document their compliance processes for any and all regulations they need to comply with. Compliance Ops software also provides storage for evidence and keeps track of all compliance activities taking place across your organization.
Related: Choosing the Right Risk Management Software
Hyperproof is an example of this kind of software. For example, instead of documenting your ISO 27001 or CCPA compliance processes and evidence in different folders and spreadsheets, it allows you to centralize all of your documentation and makes the entire process easier to manage. In addition, the software gives your data protection officer the ability to collaborate with stakeholders across your organization (e.g., IT, operations, marketing) to keep controls and evidence up-to-date so passing an audit becomes an easy endeavor.
Interested in making privacy compliance easier? Get started with a demo of Hyperproof!
Now you understand the importance of a DPO
A data protection officer is crucial for businesses that handle large amounts of information. It will help your company make data privacy and security a priority and prove compliance with the required security and data privacy frameworks.
Jeff Erramouspe, CEO of Spanning Cloud Apps and member of the Forbes Technology Council, writes, “If you’re a tech leader in a U.S. company, you may be thinking, ‘Does this apply to me?’ That’s the wrong question to ask. The question you should ask yourself is, ‘Do I have customers who care about the privacy of their data?’” (Forbes).
You likely have many customers who care about the privacy of their personal data. Take the step of honoring your commitment to ensuring customer privacy and protecting your company’s reputation by hiring a data protection officer and giving them the tools they need to be successful.
Monthly Newsletter