We’re venturing into new territory on the data-regulation front. Not only are more countries and U.S. states enacting regulations, the scope of protection is growing. By 2023, Gartner predicts that 65 percent of the world’s population will have its personal data covered under modern privacy regulations, up 10 percent from 2020.
All of this is taking place amid a backdrop of persistent and more deadly cyber-attacks—increasingly adapted to exploit the pandemic and people working remotely. As cybergangs continue to evolve and use new and more elaborate hacking methods, it’s imperative for organizations to prioritize modernizing their data-privacy standards and tools.
The right data-protection and -privacy framework allows organizations to confidently use data to drive artificial intelligence (AI), machine learning (ML), and more advanced predictive data analytics. This includes fine-grained data-protection methods that reduce security risks and achieve compliance.
Compliance is Crucial
Over the last few years, the thinking about data privacy has changed. The launching pad for this brave new world was, of course, the European Union’s General Data Protection Regulation (GDPR). When it went into effect in 2016, it established a data framework that touched companies all over the world. Suddenly, any company doing business with any individual in the EU had to adhere to strict privacy rules.
Since then, data-privacy standards have continued to emerge and evolve. The California Consumer Privacy Act (CCPA) sets strict standards about how companies manage and retain customer data. Consumers mostly have the right to opt-out of having their data sold and shared—and they can request for their personal information to be deleted. Meanwhile, nearly two dozen states have various privacy initiatives under consideration.
The result is a mélange of regulations and data standards that can present formidable challenges for businesses. Not only is it necessary to reevaluate enterprise standards, it’s also essential to comply with all the standards, even when they take different—and sometimes completely oppositional—directions. For example, GDPR uses an out-in framework while California has adopted an opt-out approach.
Not surprisingly, this situation presents formidable hurdles for companies attempting to manage customer data—and make it available for more advanced AI, ML, and predictive analytics. Today, there’s a growing need for more granular controls over personally identifiable information (PII) in a world where data increasingly flows across systems, companies, and international borders.
Making matters worse, changes in GDPR are further complicating the task. For instance, in July, 2020, the Court of Justice of the EU invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield. Simply put, it ruled that U.S. protections are not adequate. As a result, companies must assess data-transfer vehicles under Article 46 of the GDPR—something that can pose a significant challenge for a business sending data to multiple jurisdictions globally.
The ability to handle cross-border traffic that touches different jurisdictions is mission critical. There are a number of approaches organizations can take to move toward a best practice framework. For instance, the use of cloud containers can help by making workloads and data more manageable and flexible. At the same time, organizations must build mechanisms into websites and apps that accommodate regulations. Although it’s possible to use IP addresses to identify a consumer’s location, this is not a foolproof method. It’s better to have consumers create accounts and log in whenever possible.
There’s also the use of data-management and -protection technology to anonymize and obfuscate data. This includes the use of data tokenization and differential privacy or k-anonymity, as well as emerging methods, such as homomorphic encryption, which allows computations to take place on encrypted data without the need to decrypt the data. The use of Trusted Execution Environments (TEE) can also help. It uses a secure area of a processor to keep code and data segregated and confidential.
The bottom line is that a security framework must allow data to move swiftly and without hinderance through cloud-based databases and applications. When these data-protection tools and technologies are used in conjunction with a Cloud Security Gateway (CASB) and framework for encryption key management and policy management, an organization can slay the compliance beast, boost security and privacy safeguards, and unleash ML and AI in ways that can be transformative.
Suddenly, regulations and consumer demands for privacy protections become an opportunity—and even a competitive advantage. Security-by-design becomes achievable even in the most complex data environments that involve multi-cloud and cross-company data sharing. It’s a recipe for success in an increasingly data-centric world.