If your organization is like most, you may be working to review, revise, and ramp up data security compliance efforts in anticipation of the California Consumer Protection Act (CCPA), which goes into effect January 1. You have also likely realized that the pace of regulatory changes and demands is not slowing down. In fact, today’s data protection and privacy laws are likely to be just the tip of the iceberg. How will you keep up?
The growing body of regulations present a complex network of overlapping, sometimes conflicting requirements, so you may also be feeling a growing frustration as you try to sift through the laws and avoid the potentially significant penalties for losing or misusing individuals’ data.
Part of the frustration you may be experiencing is caused by the emergence of a separation between data privacy and data protection. The requirements for protecting data are not the same as for ensuring the rights and privacy of data owners. The effort and skills needed for compliance are also different.
As you work to comply on both fronts, you will likely be challenged to find experts who possess the skill sets and technical knowledge to support the required data protection disciplines and experts who can create the processes required for data privacy.
Let’s look at how this separation of requirements is causing a shift in the way we look at data protection—and how you can put in place the resources you need.
Start by Recognizing the Difference Between Data Protection and Data Privacy
With the CCPA, California is one of numerous states that have adopted or are working on legislation that matches the spirit, if not the exact letter, of the European Union’s General Data Protection Regulation (GDPR).
Data protection requirements are not a new idea. For decades, numerous local and state governments have had in place basic data protection requirements. In fact, according to the National Conference of State Legislatures (NCSL), as of 2018, 25 states already had data protection laws on the books. In most cases, those laws have been fairly general, requiring organizations to adopt and implement “reasonable procedures and practices” to prevent the unauthorized use, disclosure, or destruction of sensitive personal information.
In 2018, the GDPR ushered in a new sensibility about the nature of data and its ownership. In response to the data economy, in which companies profit from data, the authors of the GDPR asked, “If data is truly a resource, who does it belong to?”
New regulations seek to establish the data subject—that is, the individual that the data relates to—as the rightful owner. The general trend in the regulatory landscape is to assign certain data privacy rights to data subjects. Implementations are different, but the emerging regulations are 90% similar in giving data subjects the rights to:
- Know how their personal data is being used
- Give and withdraw consent for that data use
- Be forgotten
The central idea is that information about you is your property and you should be able to control how and when it is used and by whom.
By recognizing these broad-reaching data privacy rights, the GDPR started a snowball effect. Agencies and governments now are empowered to implement more stringent and specific data privacy requirements than they have in the past.
While there are elements that overlap, the majority of the emerging regulations we are seeing are privacy focused, unlike earlier regulations such as HIPAA, PCI, and ITAR, which are true data protection regulations.
All Hands on Deck: Keeping Up with Data Security Compliance
Although the aim of all this regulation is to protect personal data, it can create a mountain of complexity for your information security teams, who are already overtasked as they attempt to keep up with a flood of ever-changing threats from both inside and outside the organization.
Now your teams are also playing the role of data privacy researchers, combing through new and upcoming regulations to learn whether they have the tools, processes, and policies in place to meet those regulations—and how to demonstrate compliance.
For many companies, the complexity of dealing with both data protection and privacy is leading to a shift in the composition of the teams in the security discipline. Data security compliance is managed through a combination of policies, procedures, reporting, and automated and manual responses to events and requirements, so your team will need a wide array of skills inside and outside of the security group in order to comply.
You probably have some of the people you need in your non-IT departments. Privacy professionals, attorneys, and other non-technical experts bring their skill sets to the teams, extending security outside the domain of engineers and other technical people.
This is a good thing; it is the truly multi-functional team that is successful in the modern compliance landscape. However, integrating these professionals—and dealing with the talent shortage within the information security space—puts immense pressure on teams. Building this diverse team is especially difficult for midsized organizations. They may need 7 disparate skill sets, for example, but have a team with only 3 of those skills. It is very difficult to achieve success in a scenario like that.
Extend Data Protection Expertise: Leverage Managed Data Protection Services
Managed data protection services fill a critical role in relieving pressure on an organization to staff unique and specialized skill sets. These services also provide extended value for budgets by supporting the protection of both compliance and business-critical data.
Simply put, in all but the largest and most complex organizations, it is significantly less expensive to leverage a managed security service for data protection programs than it would be to staff it internally. Organizations are finding that in a competitive talent market, it’s increasingly difficult and expensive to recruit, train, and retain skilled data security professionals.
Managed data protection services give your organization access to a team of knowledgeable and practiced experts who can bring a broad set of experience and problem-solving to bear, providing a highly cost-efficient solution to the hiring dilemma.
Additionally, from a business perspective, regulated personally identifiable information is typically not the most critical data to protect. The information that means the most to an organization may be its own critical data assets, such as product formulas, designs and innovations, pricing strategies, manufacturing plans, client information, and research and development information.
Mandated data privacy compliance often provides the budget to acquire the necessary tools and resources to build a comprehensive data protection program, which expands beyond the original compliance use cases to include those critical assets.
When organizations calculate the ROI of such a program, it’s easy to make the case for a managed data protection solution.
Covering All the Bases: Get a Handle on Compliance Complexity
The rapidly developing compliance landscape presents ongoing pressures to organizations of every size. As you face the need for a dual focus on both data privacy and data protection, you’ll realize that no single tool or approach can provide a complete solution.
Instead you must seek to build the right balance of people, processes, and technology to provide protection that’s customized for your business and your compliance needs. Managed data protection services are a key part of that puzzle.
Look for a partner with deep experience and the agility to provide turnkey options that can fill in the gaps you’re missing today. Then, be sure that provider can also work with your internal team to develop the comprehensive coverage you need to stay ahead of the compliance game—and protect your critical assets for the future of your company.
Data Protection for the Future of Your Company
InteliSecure provides customized, comprehensive managed data protection services for any size company, from large enterprises to midsize organizations. Regardless of your company’s complexity or data protection requirements, we provide the managed data protection solution you need—at a level that’s appropriate for your business. Learn more about InteliSecure FX solutions.