By doing the minimum work necessary to adhere to regulatory demands, most organizations will find themselves continually revising their existing privacy policies to match new demands made by regulatory bodies; for example, the upcoming California Consumer Privacy Act (CCPA).
In the U.S., the future is set to be either a patchwork of regulations or one federally regulated data privacy law. The spirits of these laws require that companies take a proactive, comprehensive approach to defending customer data. However, such regulations will not encapsulate every single security best practice for all time – threats and IT ecosystems are constantly evolving. As such, organizations need to fill in the blanks themselves and ensure that data is safe wherever it goes.
Digital Journal spoke with Jacob Serpa, a security threat researcher at Bitglass, to discuss how organizations can create privacy policies that anticipate future demands made by regulatory bodies, stay ahead of the latest threats, and please their customers and prospects.
Digital Journal: How can organizations create privacy policies that anticipate future demands made by governments and other regulatory bodies?
Jacob Serpa: Regulatory compliance should be viewed as a floor for security rather than a ceiling. In other words, organizations must focus on proactively protecting customer data, rather than only addressing the requirements demanded by regulations. By doing the minimum work necessary to adhere to regulatory demands, organizations will find themselves continually revising their existing privacy policies to match new demands made by regulatory bodies. By shifting to a privacy-focused mindset and employing proactive and flexible security tools, enterprises will be able to create a forward-thinking privacy policy that is one step ahead of regulatory authorities.
DJ: How will being forward-thinking about your privacy policy help businesses?
Serpa: It is more efficient to be proactive about security than it is to react to issues as they arise. It will save companies time, prevent deployment headaches, and enhance their brand images by showing that they truly care about protecting their consumers’ data. This is particularly important because 87 percent of consumers will take their business elsewhere if they do not trust that a company is handling their data responsibly, according to PwC’s recent study on consumer behaviors.
DJ: What goals would future privacy mandates have?
Serpa:While specific demands will be refined and altered over time, regulations are ultimately concerned with securing access to data and defending it against a host of internal and external threats. As an example, while GDPR was the first mandate to prioritize data sovereignty to a massive extent, future regulations are likely to follow suit, and to spell out additional and potentially more specific requirements on the topic.
How often should organizations review their privacy policies?
How often organizations should review their privacy policies depends upon the industries in which they operate, the tools that they employ, and how forward-thinking they are. If an enterprise’s goal is merely to meet the minimum compliance and regulatory standards with which it is faced, then it will need to reevaluate its existing policies whenever regulations are updated or introduced. If a company regularly adopts new technologies and tools, then it may need to update its privacy policy regularly to detail how it is protecting data as it is used in new ways. In other words, there is no one-size-fits-all approach.
Do data privacy regulations harm businesses, or do they stand as a potential way to obtain a competitive edge?
Enterprises must put security, compliance and consumer privacy at the epicenter of their business model and back that with proactive security strategies that can help address customers’ privacy concerns and cement their loyalty. For example, as businesses continue to leverage cloud and multi-cloud environments to innovate, drive profits and ultimately deliver greater value to their customers; those companies must adopt security solutions that enforce real-time access control, manage the sharing of data with external parties, encrypt data at rest, and prevent data leakage to ensure the protection of data.
The upcoming enactment of CCPA, for example, will allow Californians the right to know all data collected about them, the right to say no to the sale of their information, right to be forgotten and more. Companies can capitalize on this and build consumer trust right now by giving consumers this control over their data and being more transparent about how their personally identifiable information (PII) may be used.
DJ: How can businesses get ahead of the ever-evolving data privacy landscape?
Serpa:To get ahead of the dynamic data privacy landscape and comply with mandates such as CCPA, organizations must make protecting their customers’ data a priority with a proactive cybersecurity strategy, and be transparent about how they are going about that. Unfortunately, most organizations make no indication about who is responsible for their security strategy — in fact, 77 percent of Fortune 500 companies don’t, according to a recent Bitglass study.
Organizations that adopt solutions that enforce real-time access control, manage the sharing of data with external parties, encrypt data at rest and prevent data leakage are essential for any company’s cybersecurity program. Companies must also learn how to communicate with consumers about the steps it may be taking to protect their data.
DJ: Anything else you would like to add?
Serpa:No regulation will perfectly encapsulate every single security best practice for all time – threats and IT ecosystems are constantly evolving. As such, organizations need to fill in the blanks themselves and ensure that data is safe wherever it goes by continuously evaluating what they can be doing better when it comes to protecting customer data and privacy.
