With the growing need to improve data governance and corporate data compliance, what should organizations pay most attention to?

According to Micro Focus’ 2019 State of Security Operations, 4.1 billion compromised records were exposed in more than 3,800 publicly disclosed breaches in the first six months of 2019.

This number is expected to grow, as cybercriminals employ increasingly sophisticated tools and methodologies.

What does this mean for enterprises? With the growing need to improve data governance and corporate data compliance, what should organizations pay most attention to?

DigiconAsia sought out the some insights from Matt Swinbourne, CTO for Cloud Architecture at NetApp Asia Pacific.

Why should we be concerned about corporate data compliance? Is the issue currently being addressed?

In this time, corporate data policy compliance affects every single organization in the world, making it something that organizations should keep a close track off. With more and more companies moving towards adopting a hybrid multi-cloud strategy to gain greater agility, this has led to a huge growth in the volume and number of locations in which personal data is stored. At the same time, digital transformation objectives often consist of leveraging the personal data to drive business growth. This in turn leads to a growing sense of worry for data privacy.

Currently, there are government bodies which are addressing similar concerns on data protection industry. This includes the introduction of new data privacy regulatory laws, such as Singapore’s Personal Data Protection Act and European Union’s General Data Protection Regulation. These policies define how personally identifiable information can be stored or accessed, the location of where that data can be stored, as well as other new concepts such as the “right to be forgotten,” where a citizen can request an organization to remove all data relating to that individual from their systems.

Most of the time, these policies centers on protecting data transfers within the country and across boundaries, wherein the customers’ personal data is stored in a country that is not native to the customer or where he/she resides.

However, at the present time, many organizations rely on outdated or no methods or at all to cover their compliance obligations on the data they hold. In a hybrid multi-cloud world, compliance becomes a progressively challenging goal as data is now spread across many data centres and many clouds. Organizations serving global customers also have the additional challenge to comply with a variety of different national and regional privacy regulations, each with their own set of rules about data residency and data transfer.

In the current pandemic climate, how is the data protection climate globally? Are there any gaps?

There is no one universal data protection policy, it differs from country to country. However, new compliance standards are constantly emerging globally. This indicates that maintaining compliance can therefore be tricky as organizations need to comply with the data protection policies in both their home country and the other countries, in which they operate in.

What happened in the past was that organizations would address these concerns with outdated mechanisms like regular expression mapping, which identifies sensitive data using known patterns, or other basic data identification methods. However, those traditional methods are unable to scale and adapt fast enough to the rapidly changing compliance landscape.

Machine learning (ML)-driven engines are helping us address the problem. The efficiency in terms of the human intervention required, as well as the integrity and accuracy provided by machine learning based solutions for compliance have improved the methods of identifying compliance risks enormously compared to more traditional methods. Not only can machine learning bring more efficiency and accuracy, these mechanisms are also able to pivot rapidly to adopt new compliance requirements with very little training.

What are some examples and consequences for data privacy breaches?

One such consequence of data privacy breaches are the financial implications. GDPR, for example, impose fines on a sliding scale measured by the organization’s global revenues. Specific to Singapore, 26 companies have been fined a total of S$1.28 million as of August last year for breaching the Personal Data Protection Act (PDPA), which is a record high since PDPA came into effect in 2016.

Besides the financial implications, other consequences of data privacy breaches consist of the loss of customer trust in a brand and subsequently, loss of business. Today’s customers expect organizations to comply with modern-day privacy regulations and be responsible for preventing unnecessary disclosure or loss of their personal data.

What are the customers’ rights when working with data management or data privacy companies?

Today, customers sit in the center of it all. They can ask businesses for their data management or data privacy policies upon interaction. Since, many companies will already have existing policies in place and are likely to have some measure of compliance against their own policy, customers (especially those covered by data protection laws such as CCPA, PDPA and GDPR) can ask to see a report of personal data that an organization is storing and ask it to edit or delete it.

Companies which do not have a compliant policy in place could find themselves in a tricky situation as customers may refuse to do business with them, until the appropriate data privacy or compliance measures are put in place.

How can organizations make themselves compliant?

With increasing regulatory requirements put in place, the shifting and complex nature of the hybrid multi-cloud space can be difficult to maneuver in.

To simplify things, organizations can make themselves compliant by taking a privacy-by-default approach to data storage. This can be attained through investing in tools that can allow for visibility and control over their cloud-based deployments.

With these tools, organizations can implement data lifecycle in order to comply with data retention laws.  Along with the implementation of services like NetApp Cloud Compliance, businesses can effectively support right-to-be-forgotten requests, and identify sensitive information potentially stored against policy.

With these capabilities and tools, organizations can anticipate and plan ahead in terms of business strategies. This will allow them to have the right technical and operational measures in place to comply with data privacy regulations across their hybrid multi-cloud, even as regulations evolve and/or when the company expands their business to new countries.

What is the business impact of breaching data compliance?

We are seeing an escalation on the cost of non-compliant data breaches. A recent study found that ASEAN businesses lost an average of US$2.62 million last year to such incidents, up from US$2.53 million in 2018. The cost includes detection, escalation, notification, as well as lost business due to business disruption, customer turnover, reputation loss, and diminished goodwill.

In addition, data breaches could also cause long-term damage such as losing market capitalization. According to a report, a data breach can result in the fall of an average share price of a company on Wall Street by 7.27 percent on disclosure, with low share value and growth underperformance a reality for years afterwards.