With tens of billions of personal records stolen in recent years by cybercriminals, no wonder data privacy is a hot button topic. Accordingly, data privacy laws are tightening up. The European Union’s (EU’s) General Data Privacy Regulation (GDPR) is setting the pace, and the rest of the world is expected to follow.
“The GDPR is known as the toughest privacy and security law in the world,” said Anastasios Gkouletsos, cybersecurity lead at London-based HR platform Omnipresent. “Many companies outside of the EU don’t realize that it can still impose obligations onto them if they target or collect data about people in the EU. In a globalized and highly connected environment, where sharing personal data can be done with the click of a button, staying compliant with GDPR can pose challenges.”
The law has teeth. Since being enacted in 2016, almost 900 organizations have been fined more than €1.25 billion. Amazon Europe alone was fined three quarters of a billion. Fines have been imposed on the likes of WhatsApp, Google, Target, Yahoo, Marriott, Equifax and Facebook. They were doled out for violations related to records about such things as health, sexual orientation, race, age and weight.
Gkouletsos said the less severe infringements can result in a fine of up to €10 million, or 2 percent of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher. Additionally, GDPR allows data subjects to seek monetary damages in court from anyone violating their rights. Reputation damage, then, is also at in play.
Other countries are passing similar laws, and the California Consumer Privacy Act (CCPA) is now law. It is similar to the GDPR and applies to any company that operates in California making $25 million in annual revenue, gathering data on more than 50,000 users, or making more than half its revenue from user data. Other states are following suit.
“The CCPA regulation means that organizations with data in legacy systems can no longer ignore this data or the need for a flexible, comprehensive, and robust way to access it,” said Zeev Avidan, chief product officer at OpenLegacy, an integration software company in Princeton, N.J.
Coping with Data Privacy Laws
It is vital, therefore, to be aware of privacy laws and take steps to avoid violations. Here are some points to implement to protect and maintain client and employee personal information and data and avoid falling afoul of GDPR, CCPA or other similar regulations:
- Data Encryption. Keep data encrypted and anonymized.
- Cloud Hosting. As an alternative to a physical data center, smaller firms with geographically diverse user bases may find it easier to use a cloud service provider and leverage its security and compliance controls.
- Vulnerability Assessments. Run annual third-party penetration tests and perform regular vulnerability scans.
- Information Security Policies. Develop and maintain a written information security policy, along with policies for access control, change management and data integrity.
- Endpoint Security. Endpoint security should be a priority for every company, but particularly for those that are going global. For remote teams, endpoint security should go far beyond installing off-the-shelf anti-virus software. An effective endpoint security solution should also include a firewall, malware removal, ransomware protection, device management, password manager, patch management and a business VPN.
“Vulnerability scans help identify multiple blind spots in data security, transference and weaknesses,” said Gkouletsos. “There are several vendors that help you also identify compliance gaps, but in general, GDPR requires you to maintain a resilient IT infrastructure wherein your organizational and security measures are working effectively.”
HR and Privacy
HR departments need to pay particular attention to data privacy laws.
“Beyond data security and protection standards, numerous government and industry regulations like GDPR bind workforce data,” said James McQuivey, an analyst at Forrester Research. “These complex regulations will increase, making it more difficult to determine what employee and workforce information you can collect and how you can use it.”
He believes cloud-based HCM solutions can help, such as Oracle Advanced HCM Controls and SAP with Trust Center. Alternatively, some firms are moving data from the cloud back on premises to stay in control of its location. When placed in the cloud, data could be stored in any number of locations around the globe, which could lead to inadvertent violations.
“Since data and applications don’t need to be geographically co-located, you can launch applications in the cloud, but keep the data that the application needs on-premise,” said Steve Wallo, chief technology officer at Vcinity.
Another way to go about it is to implement intelligent archiving instead of dumping archived data into a cold tier of storage and essentially losing control of its location. An active archive is a combination of open system applications with different types of disk and tape hardware that intelligently monitor and migrate data across multiple storage devices while maintaining fast user accessibility. It also can help keep track of the many details involved in complying with data privacy laws.
“Better implementation of data privacy regulations like the GDPR and CCPA are driving change,” said Brendan Sullivan, CEO of SullivanStrickler, a legacy data support company. “The trend will give rise to greater demand for intelligent active archive solutions.”
And then there is data masking from vendors such as DataMasque, which can alter names, addresses, and other confidential information without rendering it useless to applications and analytics engines.
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.