With tens of billions of personal records stolen by cybercriminals in recent years, it's no wonder data privacy is a hot topic. Accordingly, data privacy laws are tightening up. The European Union's (EU's) General Data Privacy Regulation (GDPR) is setting the pace, and additional regulations are expected to follow in the rest of the world.
"The GDPR is known as the toughest privacy and security law in the world," said Anastasios Gkouletsos, cybersecurity lead at London-based HR platform Omnipresent. "Many companies outside of the EU don't realize that it can still impose obligations onto them if they target or collect data about people in the EU. In a globalized and highly connected environment, where sharing personal data can be done with the click of a button, staying compliant with GDPR can pose challenges."
The law has teeth. Since being enacted in 2016, almost 900 organizations have been fined more than €1.25 billion. Amazon Europe alone had to pay €750,000. Fines have also been imposed on WhatsApp, Google, Target, Yahoo, Marriott, Equifax and Facebook for violations related to records involving health, sexual orientation, race, age and weight.
Gkouletsos said the less severe infringements can result in fines of up to €10 million or 2 percent of the firm's worldwide annual revenue from the preceding financial year, whichever is higher. Additionally, the GDPR allows data subjects to seek monetary damages in court from anyone violating their rights. Reputation damage, then, is also in play.
Other countries and jurisdictions are passing similar laws, such as the California Consumer Privacy Act (CCPA). This law is similar to the GDPR and applies to any company operating in California that makes $25 million in annual revenue, gathers data on more than 50,000 users or makes more than half its revenue from user data.
"The CCPA regulation means that organizations with data in legacy systems can no longer ignore this data or the need for a flexible, comprehensive and robust way to access it," said Zeev Avidan, chief product officer at OpenLegacy, an integration software company in Princeton, N.J.
Coping with Data Privacy Laws
It is vital, therefore, to be aware of privacy laws and take steps to avoid violations. Here are some ways employers can protect and maintain client and employee personal information and data:
- Data encryption. Keep data encrypted and anonymized.
- Cloud hosting. As an alternative to a physical data center, smaller firms with geographically diverse user bases may find it easier to use a cloud service provider and leverage its security and compliance controls.
- Vulnerability assessments. Run annual third-party penetration tests and perform regular vulnerability scans.
- Information security policies. Develop and maintain a written information security policy, along with policies for access control, change management and data integrity.
- Endpoint security. Endpoint security should be a priority for every company, but particularly for those that are going global. For remote teams, endpoint security should go far beyond installing off-the-shelf anti-virus software. An effective endpoint security solution should also include a firewall, malware removal, ransomware protection, device management, a password manager, patch management and a business VPN.
"Vulnerability scans help identify multiple blind spots in data security, transference and weaknesses," Gkouletsos said. "There are several vendors that help you also identify compliance gaps, but in general GDPR requires you to maintain a resilient IT infrastructure wherein your organizational and security measures are working effectively."
HR and Privacy
HR departments need to pay particular attention to data privacy laws.
"Beyond data security and protection standards, numerous government and industry regulations like GDPR bind workforce data," said James McQuivey, an analyst at Forrester Research, a research and advisory company based in Cambridge, Mass. "These complex regulations will increase, making it more difficult to determine what employee and workforce information you can collect and how you can use it."
He believes cloud-based human capital management solutions, such as Oracle Advanced HCM Controls and SAP with Trust Center, can help. Alternatively, some firms are moving data from the cloud back on premises to stay in control of its location. When placed in the cloud, data could be stored in any number of locations around the globe, which could lead to inadvertent violations.
"Since data and applications don't need to be geographically co-located, you can launch applications in the cloud but keep the data that the application needs on-premise," according to Steve Wallo, chief technology officer at Vcinity, a data management company based in San Jose, Calif.
Another way to go about maintaining control of the data's location is to implement intelligent archiving. An active archive is a combination of open system applications with different types of disk and tape hardware that intelligently monitor and migrate data across multiple storage devices while maintaining fast user accessibility. It also can help keep track of the many details involved in complying with data privacy laws.
"Better implementation of data privacy regulations like the GDPR and CCPA are driving change," said Brendan Sullivan, CEO of SullivanStrickler, a legacy-data support company in Atlanta, Ga. "The trend will give rise to greater demand for intelligent active archive solutions."
Additionally, data masking from vendors such as DataMasque can alter names, addresses and other confidential information without rendering it useless to applications and analytics engines.
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.