It seems like only yesterday that we were all reading up on what the implementation of the European Union’s General Data Protection Regulation (GDPR) would mean for businesses operating in (or handling data collection with organizations in) the EU.
For those of us who might not recall reading through each requirement of the GDPR, you’ll most certainly remember the barrage of emails from companies storing data on us. Our inboxes were flooded with emails to explain how our data was being used. And if undesirable, to simply give us the chance to “opt out”.
Now, three years on, with more than 661 fines handed out since the regulation’s arrival, there are still risks that we don’t know or are not solving when it comes to data protection and transparency. These “unknown unknowns” have been brought to the fore over the past 12 months as organizations continue to battle with the new risks of remote working at the height of the pandemic.
For data protection and governance specialists, it is important that they keep their data protection “vaccinations” up to date, to comply with the newest strains of risk. Whilst the GDPR continues enforcement as usual, the world around us has evolved to raise the bar on new risks to consider. COVID-19 has highlighted the need for better control over minimizing risks to our data exposure. We have employees working remotely in untrusted environments.
Customer data being transferred between a whole host of remote “offices” and employees working off different personal or private networks with little oversight. This means that we are all digital citizens with data stewardship responsibilities and understanding the data within your organization is more important than ever if you are to implement the defenses needed to protect it. A mask to cover up any flaws or holes in your remote data protection policy is simply not enough.
As hybrid working becomes the norm and data sets inevitably continue to grow, data privacy, compliance and protection officers need to ensure they are fully immunized against new data risks to keep the trust of their employees, partners, and customers alike.
Post-Brexit complications and new data risks
One of the new data risks that many organizations are currently grappling with alongside the pandemic is the UK’s exit from the EU. Despite the original agreement for the UK to continue to follow the regulations outlined by the GDPR, concrete agreements on data transfer conditions were not set out on a long-term basis. This creates room for divergence on data standards.
During negotiations, the UK proposed that the parties should be fully committed to the free flow of data, while the EU insisted on the primacy of data protection, including rules governing and limiting cross-border transfers.
Right now, post-Brexit complications mean that thousands of British firms may be in breach of the GDPR. This is increasing the pressure on organizations to ensure that effective data governance is in place to enable data protection and transparency into data movement. This pressure has also been heightened by the fact that digital transformation efforts have accelerated at an exponential rate because of the pandemic.
Rushed or accelerated digitization means that many organizations have doubled or tripled the volume of data moving between hybrid cloud and on-premises environments without the right tools in place to ensure reliable data governance. This creates a new challenge to enable trust assurance in the data itself.
Minimizing the unknown unknowns
Organizations need the technology framework in place to not only handle increasing cyber threats, but to bring automation technologies like AI on board to handle data management tasks, enabling organizations to conduct and accelerate data audits that are crucial to data governance.
Metadata-driven discovery tools serve as a prime example, which make it easier to identify large, fragmented data sets spread across the globe for both untapped value creation, as well as dark data potentially creating risks. With data precisely and efficiently catalogued and audited, organizations can begin to gain control over their “unknown unknowns,” and prioritize the opportunities and risks to address top of mind.
To significantly enhance data management, organizations can benefit by deploying data governance solutions built on a foundation with AI for more efficient automation capabilities. Once this is in place, businesses will have built a more effective, intelligent data governance foundation that will improve compliance and data protection simultaneously.
A robust data governance stance has the effect of enhancing cybersecurity solutions and capabilities, providing data protection, risk, and compliance officers with essential visibility into data use and exposure. When data understanding is unified in its access, use and proliferation and made available for safe and compliant use, security specialists can take steps towards building confidence that end-to-end protection is in place across all data locations, minimizing grey areas where unknowns can proliferate.
The road ahead
COVID-19 should not be a reason to delay addressing increasing complexities surrounding compliance—if anything, we’ve learned that increasing risks only create more urgency. In fact, establishing a baseline of best practices and capabilities in place can make it easier for businesses globally to adapt to new or evolving legal requirements by taking a consistent, repeatable, and scalable approach.
It is not enough to just adopt cybersecurity solutions. Instead, it is about streamlining data governance in a way that allows you to locate and present contextual data use with the transparency you need to support consumer rights for appropriate handling, whilst mitigating security risks that result in data loss, abuses, and fines.
GDPR is just the beginning and adhering to regulations is a long-term journey. Many countries around the world now have very similar regulations to protect data and enable transparency, such as the California Consumer Privacy Act (CCPA), effective in 2020, while the EU proposes new AI and data governance regulations in a next phase.
There are calls from large global organizations who would like a single framework, something they can manage and then tweak locally as the regulations require rather than rebuilding anew every few years. But until we reach that destination, it is important for businesses to continue to adapt and improve their data governance processes to keep pace with the shifting privacy landscape.