For many companies, data compliance regulations are a huge burden, and one that’s only getting heavier.
The GDPR regulations introduced in the EU last year were just the tip of an iceberg of customer confidentiality and permission requirements. Hot on its heels comes the California Consumer Protection Act (CCPA), due to become effective in January 2020, and the New York Privacy Act, which is still under discussion. And that’s without even mentioning additional compliance regulations like HIPAA for patient medical and personal information, or PCI DSS for customer payment information.
There’s no way to succeed in business today without gathering and storing a wealth of customer and user details, making data compliance an ever-more complicated and expensive process.
Companies are not keeping up with data compliance regulations
Set against this backdrop, it’s not surprising that so many companies are still failing to keep up with data compliance regulations. In fact, most companies are still not fully GDPR compliant and we’re over a full year after it was introduced.
The introduction of CCPA ups the stakes. The Financial Times reports that only 42% of businesses are prepared or expect to be prepared by the time the act comes into effect. According to one report, the upcoming burden of more regulations leaves 70% of privacy professionals insisting that their systems can’t support the new compliance requirements.
How to make data compliance a reality for your company
If huge enterprises like Google and Apple can’t comply with data regulations, what hope is there for small to medium-sized companies to keep up with the rapidly multiplying requirements of data compliance? But there’s really no need to panic.
Here are some steps for you to take to make data compliance work for your business.
1. Appoint a data protection officer
If you’re GDPR compliant, you should already have a dedicated data protection officer (DPO) whose job it is to oversee data storage and access across the entire business.
Your DPO should centralize all your compliance issues and help to streamline the practices needed for different data protection regulations.
- Setting up a fast process for customers to request information about their personal data
- Keeping a document trail of how and why identifying data is collected and stored
- Monitoring all employees’ use of regulated data
- Tracking where and how regulated data is stored
- Replying to requests from customers to remove their data and responding to data breaches
2. Set security controls
The next step is to set data loss prevention (or “DLP”) practices into place throughout the entire company, in order to minimize the risks of data leaks by external attackers or internal malicious actors, or through accidental exposure.
There are a number of tactics that you can apply, but the main ones are:
- Creating strong access controls, so that only authorized employees can access confidential data
- Applying encryption rules to communications, both within the company and with external partners, so that any data that falls into the wrong hands can’t be easily read
- Setting automated triggers and alerts that let the data protection officer know about any data breach as soon as possible, since GDPR requires you to notify customers about a breach within 72 hours
- Introducing event-log management software, which records each time someone changes or interacts with confidential data
3. Increase visibility into data access
While access controls, encryption, automated alerts, and all the rest are vital steps in your data compliance journey, none of them do any good if you don’t know all the places where your customer data is stored. At a time when SaaS apps reign supreme and companies allow employees to use self-service work apps, data compliance officers risk losing control of data access to what’s become termed “shadow IT.”
Using Torii’s SaaS management solution creates visibility into which apps employees are using and what data resources the apps have been granted access to. With this type of index at your fingertips, you know exactly which third-party software companies can see which of your data resources. IT managers using Torii can discover and verify SaaS licenses, and create automated workflows to monitor and control SaaS app access to customer data.
For example, breaches often happen when an employee quits or is fired from their position, but still has access to company data. Torii prevents this situation from occurring by maintaining a database of all the apps used by each employee, and automatically removing the employee’s access when they leave the company.
To quote Uri Nativ, co-founder and VP Engineering at the company,
“A single system of records for all your SaaS is the foundation of compliant SaaS management. To ensure full compliance your IT department must take back control of their organization’s tech stacks.”
The right tools bring data compliance within your grasp
The challenge of data compliance is enormous and increases in both data and regulations aren’t making it any smaller. However, appointing a data protection officer, instituting the right security controls, and improving SaaS visibility with tools like Torii can help even small and medium-sized businesses to keep on the right side of data compliance.