Dealing with the Complexities of Regulatory Compliance

by May 31, 2023

Why is Data Privacy Important?

An incredible amount of digital information is generated daily, with an estimated 1.7 MB of data being created every second for every person on Earth. Not all of this data can be directly linked to individual corporations that can use some rations to create user profiles that predict purchasing habits or future online activities. Healthcare facilities and financial institutions retain personal and sensitive information that can be misused.

There are different degrees of inappropriate use of personal information. It can be done by organizations taking advantage of inadequate protective measures. Unwelcome advertising and spam are annoying but not posing severe risks to the individual. More consequential and long-term damage can be caused by data breaches that make personal information available to hackers.

News organizations regularly report on data breaches, whose number continues to grow annually. In the first half of 2019, over four billion records were compromised due to problems with how personal data was inadequately protected in the United States. The affected organizations range from large banks to smaller companies that perform collections for healthcare providers. A constant in all cases is that millions of personally identifying data are potentially in the hands of criminal entities that can cause irreparable harm to the affected individuals.

Regulatory Agencies Take Action

The intrusions into personal privacy ushered in by the digital age have not gone unnoticed by the affected citizens. As the population vocalized their concerns, regulations began to be crafted to address how personal data is collected and used. The European Union (EU) issued its first data protection directive in 1995. It broadly defined personal data and established guidelines for processing it within the EU. The rules were strengthened in 2012 as a precursor to the extensive set of regulations introduced in 2018 with the adoption of the current General Data Protection Regulations (GDPR).

The regulations enforced by the GDPR impact any entity that collects data from EU citizens. It was designed to eliminate the complexities of complying with standards developed by individual nations within the union. It is an extensive document that defines personal data and how individuals can exert control over how it is used. The GDPR directly addresses electronic commerce issues and data collection by holding any processor of data collected from EU citizens subject to the directive regardless of the physical location in which the information is processed. Thus, any company conducting business in the EU must comply with the GDPR.

There is no question that the EU’s directive is currently the most comprehensive set of data privacy regulations in the world. In the United States, there are no comparable overriding standards in place. While many federal and state guidelines cover some of the same ground, it would be challenging to implement a similar policy in the U.S. Clashes between federalists and states’ rights proponents make passing national legislation a difficult undertaking. There are some calls by industry leaders for a U.S. equivalent to the GDPR, but they appear to be a long way from fruition.

Many other nations around the world have instituted their own data privacy laws. In some cases, such as in Brazil, the guidelines closely follow the example of the GDPR and pertain to the nation. Other countries, like Australia, follow the U.S. data privacy and protection model with a mix of federal, state, and territorial laws. The differences in different types of international laws illustrate the difficulty in getting concurrence from the world’s diverse nations. It would appear that there will not be a global privacy directive anytime soon.

Protecting Private Data

Data subject to privacy laws is collected and used by organizations in many ways. This presents obstacles to keeping it safe and out of the reach of unauthorized users. Here are the fundamental principles that an enterprise needs to consider when protecting private data.

  • Understand the personal and sensitive information that is contained in its systems. This is a necessary first step toward keeping it protected. For example, knowing which databases store personal information may inform how those systems must be secured.
  • Restrict the collection and retention of data to what is required for business purposes. There may be no valid reason to obtain certain personal information on customers when conducting business.
  • Protect the information that is collected and stored. This involves various strategies and tactics that run the gamut, from encrypting data in transit and at rest to enforcing strict password standards. It includes keeping networks secure from unauthorized intrusion and training employees on the correct data handling procedures.
  • Dispose of data correctly when it is no longer needed. Keeping sensitive data around after its shelf-life has been exceeded poses unnecessary risks that can easily be avoided. Use robust data deletion techniques to eradicate information from databases and storage media.
  • Create a response plan for data security incidents. If sensitive information is compromised, a plan to minimize the effects can prove priceless. This includes notifying the affected parties and regulatory bodies fully and promptly concerning the extent of the data breach.

Respond with Regulatory Compliance Management

The Internet and e-commerce have removed many of the barriers that limit international trade with individual citizens of foreign countries. Now, anyone with an Internet connection and organization is located anywhere in the world. Conversely, this means that businesses need to understand the regulations that are in effect in all of the countries where their customers are located, as the diversity of competing privacy standards proves to be highly challenging.

Organizations operating in these locales may be subject to varying constraints regarding how the population’s personal data can be collected and used. In some cases, modifications to corporate policies may need to be made on a country-by-country or even state-by-state basis to maintain compliance with these varying guidelines. Failure to follow this strategy exposes a company to penalties from each sector in which it has done business.

Here are some measures that companies can take to minimize their chance of failing to comply with privacy regulations.

  • Keep updated on regulatory changes in all markets. This includes monitoring blogs and regulatory websites that provide information regarding new initiatives or modifications to current compliance standards.
  • Conduct regular data audits to determine where sensitive data is being stored, how it is being used, and who has access to it. In a dynamic IT environment, these issues can change rapidly and demand the timely execution of appropriate actions to maintain data protection and regulatory compliance.
  • Remove unnecessary customer and employee data from systems as soon as possible. Performing this task can be complex, as outdated sensitive information can be resident in backups and operational systems. Retaining unneeded personal information is an avoidable disaster waiting to happen.
  • Ensure that all systems are updated and patched. Running obsolete software or neglecting security patches is a dangerous game that organizations should strive to avoid. Data breaches that are shown to have been caused by lax system maintenance procedures will end up being much more expensive than addressing the problem with more robust internal processes.

Some of these activities may necessitate developing new teams or reallocating human resources. The costs associated with remaining compliant may seem prohibitive to some organizations but pale compared to the price of ignoring the regulations in effect.

The Cost of Non-Compliance

Non-compliance with current privacy regulations carries substantial penalties. The GDPR specifies that the most egregious failures can cost an organization 20 million euros or 4% of the previous year’s turnover. Less severe failures can be penalized at reduced levels. Over $125 million in fines have been imposed on companies.

Non-compliance with GDPR standards can be revealed through investigations by data protection authorities, investigative journalism, or concerned employees or customers who bring protective lapses to the attention of governing bodies. Though no organization is equivalent to the EU’s Information Commissioner’s Office, which oversees compliance and determines fines, failing to comply with any locality’s regulations can result in hefty monetary penalties and commensurate loss of consumer confidence.

In the United States, the decentralized regulatory landscape results in fines being initiated from various sources. One of the strongest US laws is California’s Consumer Privacy Act (CCPA) which went into effect on January 1, 2020. It is similar to the GDPR but does not go as far as the EU’s directive. It focuses on more prominent companies in the state and includes explicit opt-out language that gives consumers some control over data use. Offended companies will be liable for $7,500 per violation and $750 for each affected user. Basing the fines on the number of users impacted by a data breach can make non-compliance very expensive.

In addition to the financial penalties that directly impact non-compliant organizations, there are lasting public relations ramifications to running afoul of privacy regulations. The publicity surrounding a data breach can result in lost customers and limits the ability of an enterprise to attract new ones. These effects may dwarf the monetary penalties and offer another compelling reason to be vigilant regarding compliance.

Complex Regulatory Compliance

As the world’s data privacy and protection standards evolve, so will the methods businesses must employ to remain compliant. Staying abreast of new regulatory developments may require full-time staff for companies with customers in multiple regulatory jurisdictions. An internal audit team may be needed to vigilantly test systems to determine compliance as conditions change within the computing environment. New procedures will need to be developed to dispose of unnecessary sensitive data and fully protect the personal data required for continued business operations.

Employing the right software tools and human resources are critical components of a strategy designed to ensure regulatory compliance. Monitoring applications that alert an organization to unauthorized attempts to access sensitive data is essential when forming a first line of defense against data breaches. They can be the difference between a widespread loss of personal data or a swift response that nips the attack in its early stages before the information is compromised.

Historical records that indicate compliance are indispensable when confronted with consumer complaints or investigations initiated by regulatory agencies. They can be obtained through the audits conducted within an enterprise that demonstrate activities meant to implement compliance and changes to address findings resulting from those examinations.

Many moving parts are involved in keeping an organization compliant with privacy regulations. While it may be seen by some as a burden, regulatory compliance management is an inescapable part of doing business in the digital age. Ignoring the demands for data privacy will not make them go away. It threatens organizations with onerous financial penalties and the prospect of losing customers to more enlightened and prepared companies. It’s time for enterprises to do whatever is necessary to deal with this complex reality.

Idera provides robust solutions for SQL Server, Azure SQL Database, and Amazon RDS for SQL Server:

  • SQL Compliance Manager protects your data by monitoring activity and changes with powerful alerting and tamper-proof audit tools
  • SQL Secure allows you to discover security vulnerabilities and user permissions for SQL Server instances

Additional Regulatory Compliance Resources:

To learn more about protecting the personally identifiable information (PII) of your customers in the United States, please take some time to check out this 10-page whitepaper “Ensure the Security of Personally Identifiable Information (PII) within U.S. Federal Government Agencies” to understand protecting sensitive data in possession of the U.S. government. Safeguarding PII and preventing breaches is essential to ensure that federal agencies retain the trust of the American public.