Data is back in the headlines again. Long recognised as a powerful asset, in recent years personal data has increasingly become a geopolitical issue. As a source of wealth, insight and power, data is seeing heavier regulation from legal authorities. Increasingly, governments recognise the importance of policing and controlling the flows of data between countries – and they’re not afraid to intervene.
Unsurprisingly, however, international businesses with extensive global data networks now face growing scrutiny over the processing and transfer of data between different markets and regions. To adapt, manage and comply with these evolving standards, businesses need complete transparency of their personal data flows at all levels. This means having the right tools to help demonstrate data compliance when the regulator comes calling.
Caught in the crossfire
Data compliance is not new to businesses, with the German state of Hesse introducing the first data protection laws in 1970 – the same year as the floppy disc was invented. Whilst Europe’s 1995 Data Protection Directive was upheld until its recent replacement, nothing that came before it could claim the impact of the EU GDPR, which has had a domino effect on global data regulation, with countries around the world writing their own versions of the policy into law.
However, national culture and history means that each country’s requirements are slightly different, creating a complex regulatory patchwork of different data rules and regulations for international businesses to navigate. And, while some authorities have adopted a more relaxed approach as businesses grapple with COVID-19, others have not. Notably, watchdogs in France, Spain and Germany have both pursued errant businesses with significant fines for GDPR breaches.
Even in the US, which has traditionally resisted a blanket approach to data regulation, there has been a growing voice from industry to modernise the regulatory data framework, with calls for California’s CCPA to be replicated in other states. It may not be long before there are new (but familiar) compliance hurdles for businesses to overcome.
Venturers Club roundtable: why AI startups should focus on data privacy and trust
Keep your data close
Organisations owe it to themselves and their customers to respect and adhere to local data requirements. Yet how can they manage the complexity of working within multiple, ever-changing regulatory frameworks? And how can they move with agility to rapidly comply with the demands of local authorities?
One of the greatest obstacles to data compliance is a lack of visibility. International businesses are typified by an amalgamation of different data environments, silos and complex data flows. Maintaining consistent standards and policies in such a context is a huge effort. Tracking specific data, its origins, its pathways, and its eventual destination is even harder. But, with the third anniversary of GDPR, this is what regulators are increasingly coming to expect.
The starting point for businesses is understanding what data they have. A Veritas study discovered that, on average just 15% of business data is clean, managed and usable. The rest is either ROT data – that is to say, that it’s Redundant, Obsolete or Trivial – which should have been deleted, or it’s dark. Dark data is the information that a business is storing without having first classified it. The team that is maintaining the data doesn’t know what it is or even if it has any value. Often dark data contains files that should have been deleted, such as information that has reached the end of its legal lifecycle, or should never have been on the network in the first place, such as malware.
Six industries that need to hire a data protection officer
Taking action
To get this understanding, businesses need a holistic approach to data insight, where a single tool is able to interrogate files to assess their value, map their location and manage their transfer. The process of responding to a data watchdog, or even answering a consumer data access request is just too labour intensive, too expensive and too error prone without one.
These tools can also be used to automate the processes that ensure compliance. For example, setting data lifecycle policies to ensure that personal data is not kept longer than is allowed, or limiting the physical location of data to ensure that it remains in compliant territories.
Yet, businesses also need to ensure these tools are flexible enough to adapt to the changing requirements of evolving data legislation. Rapid roll out of new practices to meet the demands of updated policy is a must, but maintaining the transparency of different data flows is a real challenge. Firms should look to solutions that can collect and manage the broad range of required information and help implement extensive rules and policies.
With data protection laws now an inescapable reality of operating in today’s global economy, businesses must accept that their success will be influenced by their willingness and ability to manage data as both an opportunity and a compliance issue. Monitoring the diverse and complex data sets that are created, moved, stored and deleted across a multinational business – and ensuring they stay within the bounds of the law is difficult, but crucial. So much depends on the quality and security of data that it’s no longer sustainable for one half of the business not to know what the other half is doing with it. Fortunately, with modern technology and the latest data platforms, it’s possible to gain a real-time understanding of the flow of data within a business, and the power to control it.
And control it they must. The one thing that is absolutely clear is that regulatory control of data – especially personal data – is only getting more intense, more wide spread more costly to breach. As with any snowballing challenge, the time to address it is now, before things get even more overwhelming. Businesses should grab the regulatory bull by the horns, if they hope to avoid getting skewered.
Written by Mark Keddie, global director of privacy at Veritas Technologies
