Staying Current in an Ever-Changing Regulatory Landscape

It’s not just that there is a lot of data generated today; it’s how quickly that data is generated. The hourly increase in data makes meeting regulatory compliance difficult enough, but adding to the challenge is the ever-changing regulatory landscape. How do you continue to stay compliant when you are overrun with data while trying to understand updates to the existing regulations?

That’s the question that Andrew Neal, VP research with Gartner, and Jennifer Sosa, director, information security and compliance services with TransPerfect, addressed in their session, “Go Ask Alice: Feed Your Head with Practical Approaches to the Ever-Changing Regulatory Landscape,” during the (ISC)2 Security Congress. The problem is two-fold, they said. First, the privacy regulation landscape is always evolving. It started with GDPR and now more states across the U.S. are adding or considering similar data privacy laws.

DevOps Experience

“Trying to keep hold of the baseline of what is required is one of the problems we’re trying to tackle,” said Sosa. Second is the different methods for data management and governance, which range from relying on manual records to sophisticated automated privacy tools. There are no standards in place to solve the problems that come about because of regulations, Sosa pointed out.

Complicating Issues

Data proliferation complicates the ability to keep up with compliance regulations. It’s not just that data is continuously created, but that data creators tend to never get rid of anything. Instead, it gets moved from one location to another, pushed out of sight to make room for new, more immediate data, but still it lingers.

Neal compared data to the junk we have in our homes—rather than get rid of what we don’t need, we pile it up in the garage or basement. Add to that low awareness about where data is stored, and it becomes even more difficult to meet and maintain compliance with regulations. On top of data proliferation, organizations are working with ambiguous parameters. Businesses rely on cloud services and mobile devices. Employees are working remotely. You can no longer say that all the data is in the office.

“These ambiguous parameters create a challenge for just identifying and physically controlling your data,” said Neal. Digital transformation initiatives require organizations to take a closer look at how they do business and how they interact with clients using emerging technologies. But digital transformation also generates and uses a lot of data, and a lot of that data is in non-standard locations, such as in newly-created apps.

The bottom line: Digital transformation has changed the way data flows through an organization.

How to Stay in Compliance

With all of these factors working against organizations, the first thing to do is admit just how big an undertaking it is to remain in compliance. To best address this undertaking, break it down into four categories: People, process, technology and training. You need the right people involved in ensuring the company meets regulatory compliance needs, no matter where you are in the compliance program process.

“You want to identify the appropriate people. That might include people from legal, IT and potentially key stakeholders from major business units within the company, who are the only people who truly understand how their data moves from day to day,” said Sosa.

The process piece is almost like a leverage piece, Sosa added. Your organization likely already has some of the pieces needed—like a privacy policy or security policy—that can form the foundation on which to build the compliance processes you need.

Technology is likely the most complex part of this undertaking to meet and remain in compliance. As mentioned earlier, there are no standards on what tools organizations need to stay compliant. For some companies, using spreadsheets to monitor data is all the technology they think they need. But as Sosa pointed out, a spreadsheet isn’t going to be of much value as data proliferates and regulations change. It is better to make the investment in the tools that keep track of your data, even if it means stretching your budget.

No one tool does everything you need, so Sosa recommends testing trial versions of different tools to see what you like, what you don’t and what fits your needs best before making a long-term commitment. Staying compliant is a whole-organization effort, so everyone must be trained on what their role is in meeting regulations, recognizing what data qualifies as PII and what the consequences are for the company if it fails to meet compliance.

Your data landscape is constantly changing. So are regulatory compliances. What you knew about these issues a month ago probably isn’t the same today. Sosa recommends staying on top of what is happening at sites like IAPP. Compliance is important, so staying on top of the evolving landscape will go a long way toward keep data secure and private.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More