White Paper

As Regulations Gain Complexity, Organizations Must Be Strategic in Meeting Them

A proactive approach is the most effective way to comply with mandates for data safety.
by: Eric Ludwig |

Security and privacy-related regulations pose a significant challenge for many organizations. The regulatory landscape changes frequently, almost always growing in size and complexity. Complying with regulations such as HIPAA, the Payment Card Industry Data Security Standard or the General Data Protection Regulation is challenging and costly. Simply determining which regulations currently apply and identifying new and emerging regulations can require the expertise and diligence of legal and compliance professionals, especially for organizations with international customer bases. And that’s just one aspect of the many challenges of compliance.

Understanding the requirements and determining how to meet them is also time-consuming. There’s also the risk of unnecessary duplication of effort if the organization’s compliance efforts are not centralized or at least centrally coordinated. Different parts of an organization addressing different regulations may implement controls that do the same thing, or even implement the same security technology more than once.

Fortunately, there’s a clear path forward: Be proactive when it comes to compliance. Taking a strategic approach, where an organization focuses on addressing its security and privacy risks first, then identifies gaps between its collective compliance requirements and the controls it has implemented, minimizes duplication of effort and wasted resources not just now, but for many years to come. Compliance requirements are not going away. The sooner they’re tackled, the better.

$230 million

The fine British Airways paid in 2019 for violating GDPR

The Mandate: Keep Data Safe

Implementing security controls to meet requirements almost always involves protecting data — identifying the data that needs to be protected, such as customer personal information or credit card numbers, then preserving the confidentiality of that data no matter where and how it is processed, stored or transmitted. Third parties acting on behalf of the organization also need to protect the organization’s data, and the organization may be responsible for ensuring that those third parties comply with the requirements.

Some regulations require even broader protection of data. One possibility is safeguarding data not only in digital formats, but also in physical formats: data displayed on screens and observed by unauthorized people, data printed out and left in unsecured areas, and conversations about data made within earshot of people not authorized to hear that information. Another requirement in regulations such as GDPR and CCPA is that organizations must be able to identify all the data they have for a person on request, provide that data to the person within a set time period and destroy someone’s personal information if they request it. Many organizations don’t have data asset inventories, let alone the capability to pull it all together on demand, and would be hard-pressed to comply with requests from consumers.

Further complicating compliance is that it often requires securing not just the data the regulations specifically address, but also the systems, networks, physical facilities and other elements of the organization’s environment. Even if regulations don’t specifically call out those elements as needing to be secured — although some do — it’s often implied and more often an absolute necessity. Using strong encryption and other robust security controls to safeguard data is only part of compliance — if anyone can easily guess a default password and gain administrative access to a database server, the robust security controls don’t matter.

Additional considerations organizations commonly face in addressing regulations:

  • Organizations should monitor their compliance status at all times; an organization can fall out of compliance at any time. It’s the organization’s responsibility to be constantly vigilant, identify instances of noncompliance, and address them quickly to restore compliance.
  • Organizations should be prepared to respond quickly and effectively to noncompliance notifications from regulators. This generally involves assessing the deficiency, remediating it, ensuring that the deficiency no longer exists and providing evidence of this to regulators. If customers or others have been adversely affected or could have been adversely affected, the organization should be prepared to formally notify regulators, customers, the public and others.
  • If legacy systems need to be secured, it may be difficult or even impossible to achieve some requirements because the legacy systems can’t support the necessary security controls. Sometimes an organization can find other ways to meet a regulation’s requirements, such as performing security monitoring and maintenance tasks manually instead of automatically. Sometimes it may be necessary to upgrade or replace a legacy system to ensure that data is sufficiently protected.

There’s one final challenge to keep in mind: “Compliance” is not the same as “security.” Just because an organization, or systems and networks within an organization, comply with a regulation does not mean they are adequately secured. These regulations are intended to address security and privacy issues, but they aren’t by any means the equivalent of having sound security and privacy programs or risk-management capabilities. While compliance is certainly important, holistic security efforts are ultimately more important.

To learn more about how you can better meet the demands of your industry regulations, read the CDW white paper “Overcome Your Compliance Challenges.”