It has been over a year since the General Data Protection Regulations (GDPR) went into full effect to ensure the protection and privacy of an individual’s personal data. Following several high-profile data breaches and large fines being imposed as a consequence of non-compliance, this has sent shock waves around the world regarding the need for increased data protection regulations. While, at first, the EU’s “right to be forgotten” principle seemed out of reach, it is becoming a standard, especially as more and more Americans are beginning to question how organizations are using their data. Now with the passing of the California Consumer Privacy Act (CCPA), which will be implemented on January 1, 2020, the need for businesses to adhere to data regulations are becoming a reality. The impact this will have on organizations remains to be seen, but what’s clear is that consumers around the world are starting to demand change.
And, as more regulations are put in place, and consumers begin to care more about how their personal data is being used, it is likely we’ll see other states follow suit and pass similar data privacy laws. In fact, New York state recently proposed a privacy bill that would be far bolder than California’s, but as other states try to pass similar legislation, lawmakers say a national data privacy bill is still far away. Regardless, organizations should start looking ahead of these regulations to avoid costly fines and prevent lost business opportunities in the future.
Navigating the changing data privacy landscape may be overwhelming at first, but it’s something that organizations should come to expect as data privacy and protection continue to take center stage. While headlines have been riddled with the tales of major cybersecurity breaches in the U.S., the CCPA aims to give users more control resulting in companies needing to work with new rules. Here’s what businesses and DBAs and data security professionals should consider as they approach data privacy and take stock of their policies.
Anticipate upcoming regulations
Reading is key to comprehending the underlying complexities of U.S. specific data regulation policies, but it’s also important to know how GDPR is affecting European countries as well. Remember, GDPR, though an EU compliance regulation, affects US companies that process the “personal data of data subjects” controllers and processors who are in the EU. Consider investing in training for your IT staff to help them gain a better understanding of how these policies are going to affect their work. Having quarterly training sessions to inform staff on the latest developments in statewide privacy policies will keep security mindedness at the forefront of their work.
Perform a complete inventory of company data
As organizations begin to evaluate their data landscape, they should consider the following questions: What kind of data do we store, Who has access, Where is it stored, and Is it secure? This provides a good starting point for the creation of a data privacy program. Performing an in-depth data inventory (or audit), will ensure you can track personal data processing activities across your company. This is an internal audit and not the same as a compliance audit. For database DBAs, this is the toughest job, especially if you’re dealing with multiple environments (on-premises and cloud), servers, virtual machines, databases, backups, etc, but it is one of the most important tasks if you want to avoid unnecessary fines in the long run. Performing a regular data audit will help promote visibility and provide DBAs with a better view of the organizational processes that might have been neglected over time.
Simplify and automate data identification
After performing a full data audit, consider automating the data discovery process for your databases, based on a set of rules that define what personal and sensitive data is for your company to make the future flagging process of such data more accessible. Utilizing data identification software is an elegant way to locate personal and sensitive data. Another step in data identification is to understand your company’s risk regarding where data lives and who has access to it. Taking a proactive approach to data logging will eliminate a backlog and make future audits easier. In addition, this will help keep the data supply chain secure by understanding the channels the data has traveled through.
Utilize database auditing
Most database vendors have database auditing utilities that can track and record where and when changes are made to data and who made the change in the event of a compliance audit. These utilities can also track the type of data change made (i.e. insert, update or delete) and generate a report that may be required for an auditor.
Leverage independent experts with in-depth knowledge of the regulations
Having the appropriate staff in place will make all the difference in applying data policy regulation. Consider an executive whose job is to monitor all things data protection. Having a strong policy presence at the top of the organization ensures policies are put into practice correctly. If appointing a policy executive in your C-suite is beyond your budget, consider leveraging an independent expert to evaluate your organization and provide advice on upcoming policy changes (in the case of GDPR, such a person is called a Data Protection Officer or DPO). Having the appropriate people at the operational level ensures that business is taking place inside a regulatory framework, and prepares IT operations to understand how new policies will affect existing databases.
GDPR has changed the way organizations around the world look at data, and CCPA will force similar data policy changes in the U.S. that will dramatically change the ways organizations and DBAs store user data. All companies with an online presence are data companies which means all organizations need to take these regulations seriously. IT staff need to stay alert to how these changing conditions will affect the workflow for their specific sector of work. To be good citizens of the world, we must first be good students and learn from the changing policy around us. Our data depends on it.