We’re excited to bring Transform 2022 live back on July 19 and virtually July 20 – 28. Join AI and data leaders for insightful conversations and Interesting networking opportunities. Sign up today!
Today marks the 4th anniversary of the introduction of the EU General Data Protection Regulation (GDPR), which originally went into effect in May 2018 and forced organizations to rethink how they collect and store data from European Union data subjects.
GDPR grants consumers the right to forget, and requires private businesses to obtain consent from data subjects to store their data and to prepare their information for deletion upon request. bridge.
However, even years after the law went into effect, many organizations are still struggling to maintain the regulations compliance while European regulators aim for more stringent enforcement actions.
For example, Facebook is still struggling to comply with GDPR, with Motherboard recently discovered a Leaked documents disclose that the organization does not know where all of its user data goes or how it is handled.
But why are so many organizations non-compliant? The answer is complexity.
Why GDPR compliance is an uphill battle
The widespread migration of organizations to cloud services over the past few years has increased complexity on all sides. Organizations use applications that store and process customer data in the cloud and often lack the visibility needed to protect these assets.
“Companies have done a lot to bring their systems and processes into line with GDPR, but it’s been an ongoing exercise. In the same way, regulations change, so does technology,” said Steve Bakewell, chief executive officer of penetration testing provider EMEA. NetSPI.
“For example, the increased use of cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud,” says Bakewell.
With much data stored and processed in its original form, mixtureand many clouds environment, businesses have exponentially more data to secure and maintain transparency, beyond the defenses and perimeter monitoring of traditional networks.
Organizations like Facebook that are unable to locate personal data that exists in a cloud environment or how it is handled will inevitably be in breach of regulation because they cannot secure customer data or delete its data. subjects agreed.
Stay GDPR Compliant in 2022 and Beyond
While GDPR requires excellent data handling in the cloud age, there are a number of strategies organizations can use to make compliance more manageable. The first step for an enterprise is to determine where sensitive data is stored, how it is handled, and what controls or procedures are needed to protect it, or delete it if necessary.
Bakewell recommends that organizations “understand and implement both privacy and security requirements in data processing systems, and then test them accordingly across all systems, on-premises, and cloud technologies. cloud, operational and even physical, to confirm controls are effective and risks are correctly managed. ”
Of course, determining how data is being used in an environment is easier said than done, especially for identity data with the increasing density of digital identities that businesses store.
“Organizations have dispersed their identity data across multiple sources, and this dispersion of identity data leads to overlapping, conflicting, or inaccessible data sources. When identity data is not managed properly, IT teams will not be able to build accurate and complete user profiles,” said the director of human resources and CISO at the data structure solutions provider. Radiant logicChad McDonald.
If organizations fail to keep identity data correct and minimized, they risk being penalized for a breach.
To address this challenge, McDonald’s recommends that businesses unify the disparate identity data of data objects into a single global record using an Identity Data Structure solution. This allows data security teams to have a more holistic view of the user-identifying data in the environment and the controls in place to restrict user access.
Look beyond GDPR: the next wave of data protection regulations
One of the most challenging aspects of GDPR’s legacy is that it has ignited a global movement in data protection regulations, with countries and jurisdictions around the globe taking on mandates to protect data. secure their own international and local data, imposing new controls on organisations.
For example, domestically only in the United States, California, Colorado, Connecticut, Virginia and Utah all have begun implementing their own privacy or data protection laws, most famously the California Consumer Privacy Act (CCPA).
The US is not alone in implementing new data protection frameworks with China’s creation of the Personal Information Protection Law (PIPL), South Africa drafted the Personal Information Protection Act (POPI) and Brazil created the Joint Data Protection Law (LGPD).
With regulatory complexity on all sides, GDPR compliance is not enough for organizations to avoid data protection breaches; they need to comply with all the regulations they have to follow.
For example, while GDPR allows the transfer of personal information across borders as long as it is adequately protected, PIPL does not. Therefore, business organizations in Europe and China will need to implement a single set of controls that are compatible with both.
Similarly, while GDPR states that you only need a legal reason to collect personal data of eu data subjects, the CCPA mandates that you allow users to opt-out of personal information.
Written on the wall is that organizations cannot hope to keep up with these regulatory changes without an effective meta compliance strategy.
In practice, that means implementing controls and policies designed to reduce regulatory spillovers and work towards compliance with multiple regulations at once, rather than adopting an alternative approach. approach each regulatory agency for compliance.
VentureBeat’s mission is a digital city square for technical decision-makers to gain knowledge of transformative enterprise technology and transactions. Learn more about membership.