In November last year, there were 95 disclosed data security incidents that resulted in 32 million breached records in Europe alone. Globally, there is a far worse picture. High-profile organizations like Twitter, Uber and Twilio all suffered data breaches last year.
Data security incidents are most likely only the tip of the iceberg. Data-related risks usually span three buckets: risks to the data, i.e., information leakage, risks with the data, i.e., information misuse and risks from the data, i.e., low-quality recommendations, decision-making, bias and discrimination.
Data needs to be adequately protected and should be handled with care. It requires anticipating the potential impact of data processing activities, providing the right access at the right time and controlling usage in real time. This is crucial to be in a position to adhere to a growing number of regulations.
The regulatory landscape is getting more complex by the day. There are many new laws on the table, some sector-specific, others impacting all sectors. The EU has proposed and is in the process of adopting a wide range of new regulations. For example, the Data Governance Act has recently been passed, the AI Act is on its way, and others, such as the Data Act, are still being negotiated. In the UK, the Data Protection and Digital Information Bill is in development, with the aim to make the GDPR more flexible and decrease the compliance burden for businesses in an attempt to build a pro-growth regime.
Adapting to New Rules
Organizations will need to intensify their compliance efforts to prepare for the new data regulations to come. Firstly, organizations must assess and refine their tech stack to ensure they offer appropriate safeguards. For example, they will need to ensure that they don’t generate unnecessary data movements, which could lead to restricted international transfers.
They will also need to be able to perform data classification and govern data retention and access based on the need-to-know principle. Regulators such as the Federal Trade Commission (FTC) have stressed the importance of ensuring that only personal information necessary for specific purposes is retained and processed in accordance with a retention schedule. Thirdly, they must be aware of sector-specific or data-specific requirements. For instance, children’s data protection is set to become a very hot issue in 2023 after the issuance of the Age Appropriate Design Code in 2021 in the UK, the adoption of the Age Appropriate Design Code Law in California in 2022 and enforcement actions in the EU, such as the Irish Data Protection Commission’s decision to impose a €405m ($402.2m) fine on Instagram.
The shift in data management rules and priorities can feel overwhelming for already time-compromised tech leaders. In fact, 62% of organizations have problems leveraging data due to a lack of data access governance, according to a recent survey undertaken by IDC.
Balancing Data Access and Privacy
One effective way to prepare for the coming regulatory challenges and maximize the use of data is to follow data security best practices. This means adopting a data-centric security and privacy management approach, which should help organizations build a robust security posture.
This requires enforcing fine-grained access control based on the need-to-know or the least privilege principle. This should help organizations to implement purpose limitation and data minimization, which are two key privacy requirements.
It is also critical to monitor data access and usage to detect risky behavior as early as possible. This is particularly important today as the increase in layoffs and job cuts across the tech industry makes organizations more vulnerable to cyber-attacks and insider data leaks.
Fortunately, there are ways that data security can be automated, reducing manual effort and the maintenance burden of managing access and privacy controls for different roles across the organization. These new approaches help to unify and enforce policy across data platforms, including cloud platforms, to ensure the right people get access to the right data, data usage is monitored in real time and appropriate safeguards are in place. Once these horizontal and by-design approaches to compliance are set up, time to data accelerates.
Consistency underpinned by technology is vital. Organizations with a uniform approach to data management and access control can increase their security and compliance while setting the foundation for extracting greater value from their data.
Data access control need not be a barrier to innovation. It can even be an enabler, as governed data often means curated, higher-quality data.