Implementing security controls to meet requirements almost always involves protecting data — identifying the data that needs to be protected, such as customer personal information or credit card numbers, then preserving the confidentiality of that data no matter where and how it is processed, stored or transmitted. Third parties acting on behalf of the organization also need to protect the organization’s data, and the organization may be responsible for ensuring that those third parties comply with the requirements.

Some regulations require even broader protection of data. One possibility is safeguarding data not only in digital formats, but also in physical formats: data displayed on screens and observed by unauthorized people, data printed out and left in unsecured areas, and conversations about data made within earshot of people not authorized to hear that information. Another requirement in regulations such as GDPR and CCPA is that organizations must be able to identify all the data they have for a person on request, provide that data to the person within a set time period and destroy someone’s personal information if they request it. Many organizations don’t have data asset inventories, let alone the capability to pull it all together on demand, and would be hard-pressed to comply with requests from consumers.

Further complicating compliance is that it often requires securing not just the data the regulations specifically address, but also the systems, networks, physical facilities and other elements of the organization’s environment. Even if regulations don’t specifically call out those elements as needing to be secured — although some do — it’s often implied and more often an absolute necessity. Using strong encryption and other robust security controls to safeguard data is only part of compliance — if anyone can easily guess a default password and gain administrative access to a database server, the robust security controls don’t matter.

Additional considerations organizations commonly face in addressing regulations:

• Organizations should monitor their compliance status at all times; an organization can fall out of compliance at any time. It’s the organization’s responsibility to be constantly vigilant, identify instances of noncompliance, and address them quickly to restore compliance.
• Organizations should be prepared to respond quickly and effectively to noncompliance notifications from regulators. This generally involves assessing the deficiency, remediating it, ensuring that the deficiency no longer exists and providing evidence of this to regulators. If customers or others have been adversely affected or could have been adversely affected, the organization should be prepared to formally notify regulators, customers, the public and others.
• If legacy systems need to be secured, it may be difficult or even impossible to achieve some requirements because the legacy systems can’t support the necessary security controls. Sometimes an organization can find other ways to meet a regulation’s requirements, such as performing security monitoring and maintenance tasks manually instead of automatically. Sometimes it may be necessary to upgrade or replace a legacy system to ensure that data is sufficiently protected.

There’s one final challenge to keep in mind: “Compliance” is not the same as “security.” Just because an organization, or systems and networks within an organization, comply with a regulation does not mean they are adequately secured. These regulations are intended to address security and privacy issues, but they aren’t by any means the equivalent of having sound security and privacy programs or risk-management capabilities. While compliance is certainly important, holistic security efforts are ultimately more important.