2021 Predictions, Part One: Data Security, Compliance and Regulations
2020 has shown us that predictions are just that, predictions. While they have value and it’s important for businesses to project what the new year will look like, things change and predictions should be approached cautiously.
I’m not sure anyone could have predicted the rapid shifts to remote work and the way companies have pivoted to serve its customers. But these decisions have created real world data privacy and security concerns that I predict will persist, but will also be addressed in 2021. And for chief information security officers (CISO), it is going to come down to recognizing data security and regulatory compliance as key parts of the business and tackling them as such.
Taking Stock of the Compliance Landscape
Data privacy has dominated security conversations in recent years, and is unlikely to go away anytime soon, however, at the same time, regulatory compliance has consistently declined. Compliance to standards like the Payment Card Industry Data Security Standard (PCI DSS) decreased for the third year in a row, with just under 28% of organizations achieving compliance according to Verizon’s latest Payment Security Report.
It’s also important to recognize what’s coming down the compliance pipeline in 2021 and beyond. In November 2020, California residents voted on proposition 24, establishing the California Privacy Rights Act (CPRA), the second generation of California’s far-reaching California Consumer Privacy Act (CCPA). The law is set to take effect in January 2023 but with the well documented challenges of achieving CCPA compliance, organizations should begin preparing for it now.
Moving beyond the United States, there are a number of emerging compliance standards across the globe. One that could have a particularly large impact on global business practices is the Thailand Personal Data Protection Act (PDPA), which was delayed until 2021 as a result of COVID-19. The emergence of the PDPA is a clear sign that it no longer matters where an organization is located, but where it does business. And in today’s global economy, odds are organizations are doing business everywhere.
Collecting Less Data
The cost of storing data has never been cheaper, and for years it made sense for organizations to collect as much data on its customers as possible. But not all data is created equal and while organizations have been making strides to become leaner by collecting less, we’ll see this trend accelerate in 2021.
The risks to organizational security have overtaken the value of collecting as much data as possible, and ultimately it just does not make business sense. An easy box to check off is reviewing marketing and sales materials. How many form fields are on marketing materials? Do you really need someone’s mother’s maiden name? Which information are you making compulsory for customers and which of it is optional? That’s a small sample size of questions to ask yourself, but the point remains, if you don’t need the information or there is no clear business value, why are you collecting it?
And while it’s an easy box to check off, it’s one of the best ways to reduce risk. Organizations should also take stock of what information they currently have stored. In remote work environments it’s highly likely that sensitive data has been lost within the network, posing potential risks to revenue, customer trust and even employee trust.
Remediation of these risks will require organizations to inspect all workstations, endpoints, enterprise applications and databases, as well as any folders, cloud storage systems and all other touchpoints for vulnerable data.
Keeping an Eye on California’s CPRA
As previously mentioned, the passage of proposition 24 and establishment of the CPRA means that California will have new compliance standards and a governing body to enforce the regulation in 2023. The department tasked with enforcement will also lead consumer and organization education.
As of now, the regulation is the most prominent and stringent compliance law on the books in the United States, and in a state that represents the world’s fifth-largest economy. Meaning, most companies simply cannot afford not to do business in California and will need to achieve CCPA compliance in the interlude to the CPRA.
California’s work to prioritize consumer data will likely serve as a roadmap for other states currently mulling or implementing their own compliance regulations. States like New York and New Jersey will be closely following the example California has set and hopefully learn from California’s shortcomings to create effective compliance legislation. Organizations will also need to pay close attention to California’s new enforcement body, the California Privacy Protection Agency, which with its own budget, may look to make a splash with a flurry of compliance fines and educational workshops.
Another point worth noting is that as the compliance landscape continues to mature, changes will be necessary to remain relevant. We’ve seen this with the European Union’s General Data Protection Regulation (GDPR), as it continues to refine its definition of what constitutes general vs. sensitive personal data.
The compliance landscape has made great strides in recent years but it’s clear from industry reports and anecdotal evidence that organizations still have work to do to hold up their end of the bargain. It is going to take more than 365 days to achieve this trust, but mitigating and remediating risk where possible, today, will go a long way towards business success. The journey starts with getting a better understanding of the new levels of risk that things like remote work have created, while remaining aware of the latest changes, breaches and consumer trends that impact your business.
Interested in putting Stephen’s predictions into practice? Schedule a demo with us today to get a better understanding of your personal and sensitive data management practices and build a clear path towards compliance.