November 25, 2020
By Stephen Cavey, Co-founder and Chief Evangelist, Ground Labs
Data has become the new oil, as it’s now considered the most valuable asset a business can hold. As organisations look to remain innovative, they must leverage the power of such data in a secure, compliant manner, which is no easy feat given the regulatory landscape.
Regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have continued to evolve, affecting various industries across more regions than ever before, with each legislation bringing a unique set of complex rules. Failure to adhere to these regulations can carry significant financial implications, such as regulatory fines, loss of market share and a decline in stock value. Even worse, neglecting compliance can demolish an organisation’s trust, and expose it to significant consumer civil liability from any damages created by a resulting data breach.
As a result, a Chief Data Officer (CDO) has never been more critical to data security. Just as compliance regulations have significantly evolved, so too has this role compared to when it first emerged 15 years ago. Back then, it would have been reasonable for the CDO to apply a simple data handling policy across the broader organisation, regardless of its location in the world. Now, this approach would yield significant consequences in today’s regulatory environment.
Let’s explore a few responsibilities required of the modern day CDO, who are the gatekeepers to achieving global compliance.
Data Security as a Business Imperative
Data security is no longer a siloed concern for legal, compliance or security teams. Today, it’s a top business imperative for all departments within an organisation. Now the responsibility to understand and protect all data across an organisation's network must be shared across all parties, from the board to the Chief Information Security Officer (CISO) through to every member of staff. The CDO’s role is to oversee the collection, management and usage of data across these parties with a key measurement of success being how the organisation continues to maintain security and regulatory compliance across all data. However, this measurement of success is not achievable without strong alignment with key stakeholders, such as the CISO.
CISOs are often focused on providing full monitoring and continuous awareness of sensitive data across the business from a security perspective. By working alongside the CDO, the CISO can now glean a better understanding of where all of an organisation’s data lives and, as a result, gain key insights into how to prioritise data management and mitigate risk.
Together, both parties can refine key best practices to bolster data management, such as investing in data discovery solutions as well as conducting regular workstation scans across the entire company. The CISO and CDO must work together to ensure that all of the PII within the company is secure and compliant on an ongoing basis, no matter where it is stored.
Non-Compliance is Not an Option
While security is important, a CDO should also be focused on understanding and achieving compliance with international data standards, which is a journey and not a destination. As the ever-changing rules and bylaws for each regulation continues to evolve, it’s critical that the CDO pays close attention to how each regulation differs and the heavy cost of being non-compliant.
Unlike its European counterpart, the GDPR, which imposes fines based on the degrees of violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Non-compliant companies could be liable for up to $2,500 or £1,900 per individual violation of a data breach, an amount that can get out of hand very quickly.
While in the past it has been common for data to be stolen from an organisation due to the data being unknown and stored outside of the organisation's security controls, with the recent data privacy laws, there is no room for oversight or lack of data awareness. These common challenges can quickly turn into potential data breaches and/or heavy civil and regulatory liabilities.
To add to the mix, today’s data is more than just customer lists, it can also include data from a variety of next-generation technology such as biometric and facial data, or in more severe circumstances, any data stored that relates to children. Today’s CDO must possess an in-depth understanding of the compliance landscape, including what regulations apply to which types of data. The repercussions of a lax attitude towards compliance are far too much of a risk, which is why compliance should be the backbone of the modern day CDO.
Continuous Monitoring is a Must
All too often, sensitive data files within an organisation can either be over-shared or copied from a secure encrypted location to an unsecured location (e.g. the My Documents folder on a Windows Desktop). This can result in potentially large quantities of highly sensitive personal data ending up across a number of unknown and insecure locations.
As an organisation must now accept the responsibility of storing sensitive data as a cost of doing business, it’s important for the CDO to confirm that all collected data is backed up by strong business justification, and is being continually monitored to ensure it isn’t stored or transmitted to locations that reside outside of their organisations’ security controls. Think of this as locks on all entry points in an office to prevent outsider access, but also deploying motion sensors and camera surveillance on all sensitive areas to verify that the physical access controls are preventing unauthorised access.
CDOs, the Lifeline of a Business
Compliance isn’t achieved overnight -- but it’s the CDO’s primary responsibility to make the long-term journey as seamless, achievable, and repeatable as possible. This often means establishing the proper people, processes, and technology to support evolving regulations, while working closely with several business leaders, including the CISO, to raise awareness of where and how data is being used.
By establishing complete and ongoing visibility of all regulated data, a CDO can make a significant impact to the organisational process, company balance sheet, company reputation, and risk mitigation effort. With data now being more valuable than oil, the responsibilities of the CDO have greatly increased; in fact, the role has become the lifeline of a business.
About the Author
Stephen Cavey is Co-Founder and Chief Evangelist at Ground Labs, where he leads a global team empowering its customers to discover, identify and secure sensitive data across their organizations. He leads its worldwide product development, sales & marketing, and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance. He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures.