Data privacy took center stage in 2018. Compliance regulations surrounding protecting confidential data aren’t new – laws like HIPAA have been around for years – but GDPR got everybody’s attention. Data privacy compliance has taken a prominent role in the security protocols across every industry, changing the way we think about privacy, who has to be responsible for the privacy, and the trends that are emerging because of those new attitudes
In the past, we associated data privacy compliances primarily with certain kinds of data or industries – medical records, financial, and education, for instance. But now, primarily because of GDPR, everybody is thinking about privacy.
For example, today’s restaurants are juggling dozens of complex federal and state labor compliance issues, according to David Cantu, Co-founder, and Chief Customer Officer of HotSchedules. While guest services, food quality management, menu development, efficient ordering, and marketing planning are essential tasks for successful restaurants, now labor compliance needs to be a priority.
“New York City’s Fair Work Week Law (effective November 2017), requires quick-service restaurants to determine work schedules two weeks in advance with various fines being imposed when shifts are changed thereafter,” Cantu explained. “One trend we’re currently seeing is expensive penalty costs as businesses adapt to last-minute staff changes causing franchise groups in New York City to challenge the law. Given the last-minute changes and penalty fees, businesses need a seamless solution to manage compliance and save valuable time as compliance law evolves.”
Legislation Introduced Everywhere
First and foremost among those trends is the attempt to initiate an American GDPR. (And it isn’t just Americans who want data privacy protections. Countries from Canada to Australia have introduced some sort of privacy legislation.) All 50 states have some sort of legislation at least introduced, if not passed, that addresses either privacy, protection, or notification legislation, and in some cases, all three. There’s a push to get legislation on a federal level. Whereas data protection from a cybersecurity perspective has languished in the halls of Congress and state capitols for years, protecting consumer personal information seems to be a high priority.
Consumer Privacy Comes First
Protecting PII is another compliance trend we’ve seen in 2018. “The focus of compliance has shifted from protecting the organization and its investors to protecting individuals,” said Zack Shulman, compliance research senior engineer with LogRhythm. “As organizations are becoming more and more data-driven, this is at the forefront of most GRC programs – or should be if it isn’t.”
Also changed is the vendor relationship. “Vendors are no longer separate entities from the organizations that contract them,” explained Shulman. “A breach to a vendor will most likely result in as much – or more – ill will to the parent organization as if they themselves had been breached, and GRC programs and common frameworks are taking this into account. As a result, parent organizations are building out more robust vendor management practices.”
Speaking of parent organizations, this shift in protection has led to individual organizations improving their privacy policies well beyond anything written down in United States law, added Josh Mayfield, Director of Security Strategy at Absolute. “Private companies, in the sense of non-government, scrapped their old standards and rules for a more robust and user-benevolent way,” he continued. “In 2018, while Washington was busying itself with reelections, scandals, and gaffes, organizations in the private sector were sprinting past legislators who are still behind on a federal standard for privacy.”
Rethinking Compliance’s Role
Organizations’ executives are finally realizing that compliance is not a part-time job, according to Shulman, and there must be a significant investment in compliance to satisfy requirements and gain value from it. “We started to see position requirements and even title designations built into legislation and regulations.”
A recent survey from Hochschule fuer Technik und Wissenschaft Berlin, University of Applied Sciences, and SAP found that today, compliance managers need to reshape their expertise to meet these new data privacy regulations.
“To adhere to this, we’ve seen compliance managers moving towards intelligent technologies, using artificial intelligence to identify potential patterns of fraud and to manage regulatory/trade compliance to reduce the risk of penalties and fines,” said Henner Schliebs, global vice president ERP and Finance Solutions with SAP.
The side effect of keeping pace, Schliebs added, is that the technology is now cannibalizing the role, and threatened to be overtaken by AI. “So far, this has shifted the skill set of compliance managers, which now requires new data-related skills, the ability to work in networked structure, competencies for using the financial expertise in a new context, such as cyber risk, and ethical thinking and behavior.”
Increasing the Investment in Security
This new focus on compliance has changed the way organizations need to consider cybersecurity. Compliance strengthens organizations’ security postures by requiring minimum standards to meet regulations surrounding privacy. And this will lead to improved investment in security and training.
“As compliance teams strive to set relevant cyber-security policies that don't slow down the business, there is a trend toward deeper and more technical training,” said Altaz Valani, research director at Security Compass. “This goes beyond traditional application security awareness training and gets into the nuts and bolts of how SQL injection works, for example.”
This refocus on security in terms of compliance could be a good thing for companies that struggle to get leadership to buy in to cybersecurity, added George Wrenn, CEO and founder of CyberSaint. “With technology innovation moving at such a breakneck speed, the adoption of inherently insecure technologies has already caused headaches for many enterprises. Security is quickly becoming a differentiator in the market for new technologies.”
With the number of high-profile data breaches affecting all types of consumer personal information, the need for improved privacy compliance is necessary. In 2018, we got our first look at the way compliance is trending.