You don’t have to be a security expert to notice the rising rate of data breaches making national and global news these days. In 2018, no less than 6500 separate incidents exposed a total of 5 billion records, and 2019 is forecast to eclipse those staggering figures. The reaction to these events has been relatively swift. In the first half of 2018, regulators for the European Union enacted GDPR (General Data Protection Regulation) in an effort to protect citizens of the EU from criminals harvesting and selling their data.
A primary focus of these regulations is aimed at ensuring businesses that house consumer data have acceptable security protections to avoid breaches and are accountable for theft of data they hold, through steep fines. California regulators have also responded, and in January of 2020, the CCPA (California Consumer Privacy Act) goes into effect, requiring businesses that hold PII (Personally Identifiable Information) and/or do business with customers or partners in California comply with these new regulations.
If you do business with customers or partners in the EU and/or California, or hold PII for people living in those regions, you will want to evaluate your exposure and make a plan for CCPA in 2020.
There are too many differences and similarities to get into the details here, but for all of their similarities, CCPA and GDPR are different animals, and your relatively new GDPR controls in place from last year won’t allow you to take a pass on CCPA. Depending on the strength of controls in place today, you should see some return on your GDPR investment, but inevitably CCPA will require additional controls not yet in place.
With this, 2018 and 2019 have seen the business world clamoring to evaluate which sections of GDPR and CCPA apply to them in order to build controls that ensure compliance. There is a laser-like focus not seen before in C-Suites around the globe, to not only protect the company and brand from the embarrassment and costs associated with network breaches, but also to attain the correct level of compliance in order to avoid regulatory fines.
As with any new set of regulations, it’s a common practice to build in too much control up front. We’ve all lived the compliance nightmare of thousands of individual controls enacted by a company in year one, only to see that number fall back into the hundreds once lessons from audit and review allowed for more efficient and smarter controls. Carry those lessons forward as you prepare this time.
As technology leaders, we look for cost effective solutions to this increased regulatory gauntlet without driving complexity through the roof. As always, security is a delicate balance of protection while minimizing cumbersome controls that challenge efficiency of the business. The good news is that today’s cybersecurity and GRC ecosystem is awash in tools and solutions that can make the difference in keeping us secure.
Increased regulation, compliance, and cost are inextricably linked. In 2019, however, the increased pressure and focus on bullet-proof information security have given birth to an all-time high of innovative and more effective solutions to arm yourself with. These solutions can not only provide insight and help plan for a specific regulation, but also provide a wealth of information that will pay dividends as regulatory complexity continues to increase.
If you’re well situated, your GDPR policies and controls are mature (or maturing) and you’re on track for adding to those for CCPA in 2020, just a few months away. If you’re playing catch up, then now is the time to act. If you haven’t already, start with a Security and Compliance Assessment to gauge the current state of your environment and build a list of tasks to harden security, define appropriate controls, and spell out policies that will impress any auditor you should encounter down the road.
Let us help you make fast and fact based decisions for your future compliance direction. Contact us today to learn how.