As technology continues to rapidly evolve, the regulatory landscape around the data that these tools collect and store becomes an evolution as well. CIOs and CISOs, who are at the forefront of this evolution, can expect to see continued challenges to their existing data privacy and security procedures as states across the U.S. and nations around the world continue to develop and change the regulatory requirements aimed at safeguarding consumer information. In fact, Gartner predicts that, “by 2023, 65 percent of the world’s population will have its personal data covered under modern privacy regulations.” Critical to staying ahead of the game is putting the right technology in place to operationalize privacy protections, while using creative approaches like looking to outside resources to manage backend processes. At the same time, these leaders are grappling with having the highly skilled people in place needed to respond to customer inquiries about how their data is being used and protected. All of this is being done to avoid the financial impact of regulatory violations, which can cost an organization millions of dollars.
“Data security has been a very important trend for the last few years,” said Scott Laliberte, managing director and leader of Protiviti’s emerging technologies practice. “I think it will continue to be a big concern in 2021, as more jurisdictions layer on additional regulations and requirements around how data is handled.” He pointed out that, as new technology is introduced, new complexities come with the territory. “IoT devices, as just one example, present a whole litany of new data collection that needs to be protected and governed.”
“One of the main goals for CIOs and CISOs in 2021 is to make their cybersecurity approach really effective in all the three phases: prevention, detection and response,” said Enrico Ferretti, managing director with Protiviti Italy.
“In fact, it is too often that we see organizations focus very much on preventive measures, not paying enough attention to incident detection and response processes and technologies.” This causes a cascade of costly issues once an incident is discovered, particularly when weeks or months have passed since the breach and both valuable data and time to mitigate have been lost.
Global Regulations and Consumer Concerns
Keeping up with the changing regulations is something most companies find to be a challenge, according to Manisha Agarwal-Shah, managing director and head of Protiviti’s data privacy practice. To help alleviate some of the confusion, her team is producing a singular, global approach to compliance with major regulations. “GDPR, CCPA/CPRA, LGBD, the Canadian PIPEDA and POPI, which is the South African privacy law, are having the biggest impact on most companies,” she said. “It is quickly becoming apparent that organizations have so many regulations to comply with. We are looking at the places where we have, say, 80 percent overlap so that we can minimize compliance fatigue for organizations and help them develop unique frameworks for compliance specific to their environment,” she added.
“Consumers are not always aware where their data is going but are more cognizant now that they have rights they can assert,” Agarwal-Shah said. Organizations are quick to reassure their customers that personal data is well protected and, as a result, much of what is driving technology investments for CIOs and CISOs in 2021 is being drawn from regulatory requirements outlined in the GDPR and CCPA/CPRA. “And we see this growing,” said Agarwal-Shah. “We know this challenge isn’t just limited to a particular country or a specific state. This is really global in nature. There are several countries that have national privacy laws. The US doesn’t have a federal privacy law yet, but a number of states have their own independent privacy expectations, which is really the driving force behind organizations wanting to operationalize their privacy environment using technology. There’s been a fragmented, state-by-state approach but I anticipate that, within the next year or two, a broader federal regulation will be introduced that will help us centralize these regulatory expectations nationally.”
Operationalizing the Reg Tech Environment
“To manage all the data governance matters required by privacy regulations, we are predicting growing adoption of solutions for data discovery and data classification and protection fully integrated with business applications,” said Ferretti. “There are some industries that are more impacted with privacy matters than others, including energy, utilities, telecommunications, health and safety and distribution, to name just a few,” he added. These are all industries that manage privacy data for a large number of customers.
Organizations that do not take a technology approach to privacy have a difficult story to relay to the regulators to justify how their data security program really operates. “It is virtually impossible to do this well manually for larger organizations,” said Agarwal-Shah. She used the example of an online dating service to illustrate the point. “Let’s say I’m a consumer using this online dating app and I call that company to say, ‘I want to delete my account, and also, tell me all the data you have about me and which vendors you’re selling it to, and where else it might be shared.’ I believe the current regulations allow 30 days to respond. That is a nearly impossible task for the organization to do manually – especially when they receive thousands of these types of calls every month. With the right technology in place, much of that work happens in the background. Essentially, working with a vendor, the organization can have a small team of folks dedicated full-time to responding to these requests, instead of hundreds. When considering the need to train and manage a large staff, including the expected turnover, it makes sense to bring in a third party to handle this regulatory compliance work.”
As mentioned in an earlier blog, Why Data Privacy and Security Must be a Priority in 2021, Agarwal-Shah said, “it is important to begin by evaluating all the different use cases needed to meet an organization’s privacy needs. We encourage clients to ask themselves, ‘how do we implement our existing technology to meet our objectives? Which available technologies provide that service and how well can it actually be achieved?’ An organization might realize that 80 percent of those use cases are being adequately met, based on its current stack.” She added that how an organization will govern, or manage, its data is also a critical concern. “Making executive decisions around what type of technology is needed versus just focusing on the most cost-effective solution that’s available will be important. Tech leaders want to make sound decisions, not just cost-saving decisions.”
Agarwal-Shah’s privacy team has created more than 30 standardized use cases, which range from tracking ROPA, records of processing data, data inventories, managing data subject access requests, DSARs, cookie compliance, conducting privacy impact assessments and more. These use cases are easily adapted to a particular organization’s unique needs.
The Cost of Noncompliance
“The risk of noncompliance is so high in terms of fines,” said Agarwal-Shah. “GDPR penalties can range from two to four percent of global revenue, or up to 20 million euros. In the U.S., it varies by state, and there are hefty fines associated with not managing data appropriately.” While, as mentioned above, companies can attempt to manage privacy processes manually, “it’s something we would never recommend clients do,” she added. “It really adds a significant amount of value to be able to have an automated data inventory, whether it’s tracked from a survey-based analysis or true automated data discovery. It’s critically important to embrace automation to manage data tracking upfront, quarter over quarter, or more often depending on how the business changes. The biggest benefit is in economies of scale. You may require 100 people to effectively manage the number of requests being received. however, by investing in the right technology, you can reduce the resources and the resource requirements needed to manage privacy expectations, both now and well into the future.”
To learn more about Protiviti’s data privacy practice, contact us.