Legislation Is Driving Accountability And Pain For Organizations
Richard Mendoza, Senior Director, Data Privacy & Regulatory Compliance, Realogy Holdings Corp.
Richard Mendoza, Senior Director, Data Privacy & Regulatory Compliance, Realogy Holdings Corp.
When the General Data Protection Regulation (GDPR) was introduced and enacted in 2018, it changed how the world and organizations would handle personal information in perpetuity. This sparked multiple legislation initiatives everywhere and moved states like California (CCPA) and Virginia (VCDPA) to create comprehensive laws to govern data and its usage. This process is beneficial to risk professionals like me but has the pendulum swung too far and putting undue pressure on mid-size businesses?
The privacy standards being promulgated through organizations to safeguard customer/client data are extensive and create significant budget and resource constraints on companies, but what risk is being mitigated? As a risk professional, we are continually looking at risk and evaluating potential impact and harm on customers and clients if their respective data was exfiltrated. Do these enacted legislations that are not entirely uniform helping to prevent user data from being lost? It can be debated that more is less when it pertains to layering data privacy controls. Should we as a risk management community focus on doing fewer controls well or implement multiple mechanisms, but be stretched too thin to truly monitor events extensively?
What is the solution? Our society has spent the last decade divulging our personal information via multiple mediums and social media platforms that a reckoning was inevitable. When one side has reaped benefits from another a course correction is necessary, but when regulatory bodies get involved, legislative overreach may occur.
The time has come for federal legislation that is built on solid principles and a practical approach to protecting data. I fully support the mind shift to culling back scope creep on data usage, but we must allow organizations to innovate and move the data landscape forward. Complacency and overbearing data restrictions are detrimental to businesses large and small in the long term.
As always a problem with no proposed solution is a fruitless endeavor. To position your organization to meet the growing list of requirements, focus on the following controls to help prevent data loss and punitive damages from regulatory missteps:
• Vendor due diligence and have canned Legal verbiage to provide notice of breach and required security controls.
The Time Has Come For Federal Legislation That Is Built On Solid Principles And A Practical Approach To Protecting Data
• Identity access management and entitlement review. The administrative control can help avoid access to information that is outside someone's needs and assist in risk avoidance.
• Encrypt data in transit/at-rest, as encrypted data is an excellent control and very cost-effective.
• Mask/obfuscate PI in unsecured development regions. This can be expensive, so using fake data is a great approach.
• Have a process and infrastructure to respond to data subject access requests and have staff trained to complete these potential items and understand the requirements.
• Delete data after its usefulness has ended, and do it automatically
• Data classifications and data governance. This may be the next level, but flexibility in how you categorize data can be useful and better position your organization in the future.
• Document and retain evidence of your controls and logs.
The laws that we are seeing are putting organizations on notice to implement strong technical and organizational safeguards as well as have a robust monitoring ecosystem in place. The items listed above should put your organization in a defendable position in the event of a regulatory inquiry or matter.
Weekly Brief
Read Also
