Data Privacy Gets More PublicBy Samuel Greengard
These days, data security and data privacy are top of mind for enterprise executives, including CIOs. Nevertheless, companies falter and increasingly find themselves incurring the wrath of the public and the press, usually following a major breach or faux paus.
The problem? In some cases, executives and their companies talk a good game but fail to live up their own standards. In other instances, the task of developing standards—especially with partners and other third-party providers—is daunting. And then there are organizations that have never bothered to develop a cohesive and consistent framework for data management.
Not surprisingly, government entities are now entering the picture. For example, New York State is introducing a set of cyber-security standards designed to boost data protection at financial companies. Among the requirements: Businesses must establish a senior chief information security officer, and the organization must file an annual compliance report.
The initiative, which encompasses companies large and small, also covers areas ranging from vulnerability testing and audit trails to security policies and third-party interactions. It is being rolled out in phases.
Of course, when a state like New York establishes guidelines, they tend to become the baseline for an industry. Yet, the move to stricter regulations doesn't stop there.
Another regulatory initiative in the news is the General Data Protection Regulation (GDPR), a European Union (EU) data protection framework that touches all firms that control or manage the personal data of residents of the European Union. It is scheduled to take effect in May 2018.
Among the key provisions: Article 12, which requires controllers to communicate with the data subjects "in a concise, transparent, intelligible and easily accessible form, using clear and plain language," and Article 22, which requires organizations to "implement appropriate technical and organizational measures" to ensure compliance and demonstrate the measures they have in place.
Organizations that fail to comply with the GDPR risk fines as high as 4 percent of global turnover, at a maximum of €20 million (U.S. $22.3 million). Yet despite the risk of huge fines, more than 50 percent of firms affected by the GDPR won't be fully compliant with its requirements by the end of 2018, according to consulting firm Gartner.
To be sure, enterprise leaders, including CIOs, must do a better job of managing and protecting data through processes and technology. There's a need for continuous compliance monitoring, code tracking and reviews, and internal auditing for compliance workflows. Regulations or not, it's all about dollars and sense.