To harmonize data privacy laws across Europe and give more control to EU citizens over their personal data, the European Union introduced the General Data Protection Regulation (GDPR) this past spring, which caused a stir among organizations within and outside the borders of the EU. While the mandate looks basic — to protect the privacy and security of EU citizens’ personal information — it may necessitate major overhauls of your existing processes and infrastructures. In the first part of this blog series, we provided a step-by-step guide to achieving sustainable GDPR compliance.
According to a Tech Republic report, 60% of companies were thought to likely to miss the GDPR compliance deadline. For some organizations, two years is simply too short a period to completely prepare for the GDPR because its individual provisions usually take a long time to fulfill. Ebay Inc., for one, confessed that it took them more than “two years to fulfill European requests to have their data deleted right away.” The right to erasure (right to be forgotten) is just one of the many requirements of the GDPR. Companies that handle the sensitive data of EU citizens should also observe other data subject rights including the right to access, right to be informed, right to rectification, right to data portability, right to object, and right to restrict processing of their personal data.
The situation is further complicated by the fact that currently the above concepts are fairly loosely defined, and more definitive guidelines as to what they actually mean will only become clear after precedent has been set by the European Court of Justice in their rulings over cases brought to them under GDPR.
Various standards, various complexities
Of course, the GDPR is just one of the various national and international standards that businesses should adhere to in order to remain compliant and enhance their brand reputation, as well as maintain customer trust. Depending on where they operate, financial institutions, for one, should comply with compliance rules and standards that are particular to their industry including the Federal Information Security Management Act (FISMA), SEC (e.g., Sarbanes-Oxley), European Free Trade Association (EFTA), and Commodity Futures Trading Commission (CFTC). US-based healthcare organizations, on the other hand, should comply with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (the HITECH Act), and Clinical Laboratory Improvements Amendments (CLIA).
On top of these industry-specific standards, businesses should also observe the standards and regulations for protection of certain types of data. For example, healthcare organizations that accept payments via credit card should also comply with the Payment Card Industry Data Security Standard (PCI DSS). If they process personal information about minors, they should observe the Children’s Online Privacy Protection Act (COPPA).
Compliance with all these various rules is surely a major pain point. Identifying what standards apply to your industry is just an initial step, and not even half of the battle. After you determine all the standards relevant to your business, you then have to conscientiously prepare your organization and ensure that every key element can comply. And this is not an easy endeavor. You need to spend considerable time, effort, and resources — along with the cooperation of the entire organization — to pull it off.
Another main challenge is how to sustainably comply with every standard. You have to contend with the ever-increasing quantity and variety of data and the ever-evolving data security threats that make compliance even more exacting.
- Exponential amount of data. According to IBM, roughly 2.5 quintillion bytes of data are being generated every day. Processing these huge amounts of data for business intelligence is a challenge in itself. Data compliance adds another burden in that you have to keep the data secure and protected while you gather, cleanse, process, store, and analyze it. Oliver Wyman foresees that at least 90 million gigabytes of data will be implicated when the GDPR takes effect.
- Data threats. Cyber crime is the greatest threat to data. In today’s boundless world, it has become harder than ever to protect data from the different kinds of threats that may surface from virtually anywhere — from state-sponsored hackers, to corporate spies, to data-for-ransom operations. Even something as simple as employee negligence can result in a serious data breach that can cost millions in fines.
Achieving compliance with multiple standards
There are two approaches that you can embrace in order to achieve compliance with different standards. One is to build your own data security and protection infrastructure. This means establishing your own team and designing your own framework and technology. The main disadvantage of this approach is the huge upfront and maintenance costs in terms of both infrastructure and skilled manpower.
The second option is to buy solutions and services. Various data solution vendors offer compliant platforms and solutions. Hybrid cloud solutions, for example, can help you keep data compliant both on-premise (or via a private cloud) and on public clouds. But keep in mind that most cloud solutions can enable compliance only at the infrastructure layer. They only offer physical security or a “compliant container” for enterprise data, but they do not provide a mechanism to filter and prevent non-compliant applications and data from going into their platform. You cannot achieve compliance by simply migrating your applications and data to a “compliant” host.
Another limitation of most cloud solution providers is that they offer modular solutions. It can be an advantage if you do not want to buy a full range of solutions all at once. But the drawback is that, when a new standard is introduced, you may need to add a new module or buy a whole new set of data compliance solutions if your existing vendor lacks the tools or services that you need.
A holistic approach to compliance
When the GDPR standard was approved, affected businesses embarked on a quest to find the complete range of GDPR-compliant solutions that can save them from punitive penalties. If businesses stick to employing a duct-tape approach, the same scenario could happen again when a new standard as demanding as the GDPR is rolled out.
Forward-thinking businesses should know that the GDPR is not the ultimate compliance standard, it’s merely an attempt by the EU to catch up with the realities of the digital world. As new technologies come into being, data volume and variety snowballs. You should take a more proactive, adaptable, and sustainable approach to compliance, which is exactly what Liaison offers.
- Beyond physical security. Liaison provides more than just compliant people, processes, infrastructure, and applications. Our managed services model and platform offer compliance at the data layer, across the entire data lifecycle.
- Adaptable and scalable. Liaison understands the complexity of maintaining compliance for a broad scope of ever-changing standards and regulations. Leveraging our platform and solution that are compliant with multiple standards, we empower you to adaptively and appropriately respond to new sets of compliance regulations without the need to constantly and entirely revamp your infrastructure.
- Strategic rather than tactical. To achieve and maintain full compliance with various data security and protection standards, businesses should broaden their perspective and design compliance programs that can address not just immediate concerns but future risks as well.
Instead of embracing a “duct-tape approach” that can be very costly, cumbersome, and unsustainable, you should take advantage of full-service providers like Liaison, which allow you to strategically deal with compliance. This enables you to overcome difficulties and complexities in maintaining compliance for different types of data that sit in different locations and jurisdictions.