85663: Managing Global Compliance in the Wild West of Converging Data Security and Privacy Policy
Project and Program:
Service Delivery,
Security and Compliance
Tags:
Proceedings,
SHARE Orlando 2024,
2024
1. Privacy has taken center stage with data security and compliance. In 2023,
five U.S. states have issued data privacy laws – California (CPRA), Virginia
(VCDPA), Colorado (CPA), Connecticut (CTDPA) and Utah (UCPA). In addition to
these laws, 50 bills have been introduced to U.S. state legislatures in
consideration of additional privacy laws. These laws are creating a shift in how
large enterprises and government entities manage data governance, shifting the
stewardship for consumer data and security compliance from IT leaders to the
legal stakeholders. a. What’s the risk? In addition to the hit to organizational
reputation, the fines are big: Amazon $877 million (2022); Equifax $575 million
(2019); Instagram $403 million (2022), and a host of other brand names with
fines greater than $100 million including Meta/Facebook, Home Depot, CapitalOne,
Uber, Morgan Stanley and Google. 2. In many large organizations, Business teams
and IT teams work in silos. The new privacy laws and CxOs transitioning privacy
policy from IT over to legal leadership, Business and IT will be forced to work
together to create privacy policy strategy and a means to ensure data security
by primary users and third-party partners. a. Privacy and data security are
converging. Siloed organizations will suffer greater data compliance risk than
organizations whose Business and IT leaders work together on the strategy and
tactical execution. b. Enterprises are homogenous with a lot of different
systems, each with enormous amounts of Personally Identifiable Information
(PII). These systems will need to be connected and audited for compliance and
potentially forensics in the event of data breach/privacy violation. c. Systems
monitoring data access and data deduplication/reduction (per compliance
standards), will need to be well connected with a high level of data visibility,
and ideally with compliance dashboards matching laws/standards where the data is
stored. d. Visibility to data sources outside the datacenter – email, ERP data,
other systems that drive services – will also need to be monitored. You cannot
limit your compliance visibility to internal databases. 3. Standards and legal
restraints are numerous, varying by location. Different state politicians and
policy influencers are creating these laws in specific U.S. states but data is
everywhere, and managing privacy and data security/compliance is going to become
exponentially difficult in the not-too-distant future. a. Managing the data
security and privacy policy compliance will be tricky but if you manage with
these fundamentals in mind, you should be able to tick all the boxes for most,
if not all compliance laws. i. You must communicate across silos. Business and
Ops teams are generating and consuming more data than ever before. Since they
are less educated on data risk and remediation after breach, communication and
education is paramount. Communicate to them that human error is the biggest
threat to data security and biggest barrier to privacy policy. ii. Remove the
silos from your technology stack as well. Your firewall system data should be
correlated with your intrusion-detection system which should be connected to
your identity management system. Siloed tech is as detrimental as siloed
workflows between Business and IT teams. iii. Your systems need to be connected
with visibility rolled up into a single dashboard view so that in the event of a
breach or policy violation, you can begin “smart remediation” or breach response
with all the data about the breach you need in a centralized location. Without
this information in a single pane of glass view, it is impossible to effectively
(and intelligently) respond to privacy policy rule such as the right to be
removed or to respond to potential data security threat. iv. Have well defined
policies for role-based access to data. Your marketing team doesn’t need access
to customer account information, but your support team will. The tech you use to
help manage privacy should have data anonymization functionality to ensure
role-based access is adhered to. v. Only collect the data you need to complete
tasks. For customer demographic data, you probably don’t need date/month/year.
Year is probably good enough. 4. There are several other fundamentals that we
will review in this presentation but the idea here is to make sure the
stakeholders for privacy policy (soon to be legal teams) are aligned with
stakeholders for data management and security compliance (historically IT and
likely to remain so). In this presentation, Infotel will give an overview of
consumer privacy and data security and compliance and how to navigate the
complexities surrounding both. -- Presented by Tony Perri; Colin Oakhill
Back to Proceedings File Library