For many companies, data compliance regulations are a huge burden, and one that’s only getting heavier.
The GDPR regulations introduced in the EU last year were just the tip of an iceberg of customer confidentiality and permission requirements. Hot on its heels comes the California Consumer Protection Act (CCPA), due to become effective in January 2020, and the New York Privacy Act, which is still under discussion. And that’s without even mentioning additional compliance regulations like HIPAA for patient medical and personal information, or PCI DSS for customer payment information.
Adding to the problem is the fact that data keeps multiplying. Today’s marketing and sales tactics emphasize the importance of personalization and customization of products, marketing messaging, and more. Users demand fast login and purchase processes, which require sites to use cookies to speed up the process.
There’s no way to succeed in business today without gathering and storing a wealth of customer and user details, making data compliance an ever-more complicated and expensive process.
Companies are not keeping up with data compliance regulations
Set against this backdrop, it’s not surprising that so many companies are still failing to keep up with data compliance regulations. In fact, most companies are still not fully GDPR compliant and we’re over a full year after it was introduced.
Even massive corporations have fallen short, with British Airways fined £183 million this summer, after poor security arrangements resulted in a customer data breach.
The introduction of CCPA ups the stakes. The Financial Times reports that only 42% of businesses are prepared or expect to be prepared by the time the act comes into effect. According to one report, the upcoming burden of more regulations leaves 70% of privacy professionals insisting that their systems can’t support the new compliance requirements.
How to make data compliance a reality for your company
If huge enterprises like Google and Apple can’t comply with data regulations, what hope is there for small to medium-sized companies to keep up with the rapidly multiplying requirements of data compliance? But there’s really no need to panic.
Here are some steps for you to take to make data compliance work for your business.
1. Appoint a data protection officer
If you’re GDPR compliant, you should already have a dedicated data protection officer (DPO) whose job it is to oversee data storage and access across the entire business.
Your DPO should centralize all your compliance issues and help to streamline the practices needed for different data protection regulations.
- Setting up a fast process for customers to request information about their personal data
- Keeping a document trail of how and why identifying data is collected and stored
- Monitoring all employees’ use of regulated data
- Tracking where and how regulated data is stored
- Replying to requests from customers to remove their data and responding to data breaches
2. Set security controls
The next step is to set data loss prevention (or “DLP”) practices into place throughout the entire company, in order to minimize the risks of data leaks by external attackers or internal malicious actors, or through accidental exposure.
There are a number of tactics that you can apply, but the main ones are:
- Creating strong access controls, so that only authorized employees can access confidential data
- Applying encryption rules to communications, both within the company and with external partners, so that any data that falls into the wrong hands can’t be easily read
- Setting automated triggers and alerts that let the data protection officer know about any data breach as soon as possible, since GDPR requires you to notify customers about a breach within 72 hours
- Introducing event-log management software, which records each time someone changes or interacts with confidential data
3. Increase visibility into data access
While access controls, encryption, automated alerts, and all the rest are vital steps in your data compliance journey, none of them do any good if you don’t know all the places where your customer data is stored. At a time when SaaS apps reign supreme and companies allow employees to use self-service work apps, data compliance officers risk losing control of data access to what’s become termed “shadow IT.”
Source: https://www.hackread.com/can-ordinary-companies-keep-up-with-data-compliance-regulations/
