05 November 2023
Stewart Parkin, CTO EMEA, Assured Data Protection
Data compliance and governance has become a major concern for many organisations due to the unabated rise in ransomware and other forms of cyber-attack. With costly penalties for non- compliance, it’s vital that vigilance be observed. However, the complex regulatory landscape that many organisations work across, together with changing compliance standards, can present real challenges. For example, countries and even individual states are enacting their own versions of GDPR to protect their citizens' sensitive data. 
Among the main challenges that organisations face when addressing data compliance is the difficulties during discovery, classification, and reporting on where certain types of sensitive data reside. This is an essential part of compliance with to regard regulations, in the US and Europe, the most notable ones that organisations need to ensure compliance with are:
• The Health Insurance Portability and Accountability Act (HIPAA) — regulates the privacy and security of protected health information
• The Children's Online Privacy Protection Act (COPPA) — regulates the collection of personal information from minors under the age of 13
• The Family Educational Rights and Privacy Act (FERPA) — regulates the collection and sharing of educational records
• The Fair Credit Reporting Act (FCRA) — regulates the collection, use, and sharing of consumer credit information.
• The Gramm-Leach-Bliley Act (GLBA) — regulates the collection, use, and sharing of financial information
• The California Consumer Privacy Act (CCPA) — regulates the collection, use, and sharing of personal information of California residents (even if your business is not located in California)
• The General Data Protection Regulation (GDPR) — regulates the protection of personal data collected from European Union (EU) citizens (even if your business is not located in the EU)
For many organisations, the most common approach to managing data compliance is through spreadsheets with manual tagging, and monthly to yearly clean-ups. The problem with this approach is that it’s next to impossible to manage at scale. An entire team can spend days or even weeks completing one search request for audits.
When ensuring compliance at scale, the right data backup solution can play an important role by facilitating the quick discovery of personally identifiable information that could be hidden in infrastructure data. The right solution should allow organisations to gain visibility into what types of sensitive data are held by the organisation, and its location and an up-to-date inventory is automatically created to support current and future compliance requirements.
Data compliance best practices
Fortunately, ensuring data compliance doesn’t have to be overly complex. It’s a matter of following a methodical process.
Securing all sensitive information and personal data is also good business practice. The following six step process is a reliable framework for compliance:
• Step 1: Undertake a data inventory to gain a thorough understanding of what kind of data your organisation collects, where it resides, who can access it, and how it’s used.
• Step 2: Use the inventory to identify potential risks associated with the data discovered laws and standards that apply to it.
• Step 3: Prevent unauthorised access to the data by adopting appropriate security measures.
• Step 4: Draft and implement an incident response and data breach notification plan.
• Step 5: Conduct employee training on all data compliance policies.
• Step 6: Carry out regular audits of your data security and compliance procedures and ensure they are updated as laws and standards change.
As an additional safeguard, it’s also a great idea to appoint a data protection officer (DPO) specifically tasked with overseeing your data compliance policies and procedures and monitoring all applicable laws and standards that may apply to your data.
How do you know if you’re compliant?
Having done all the groundwork and implemented your data compliance processes, it’s a very good idea to seek the help of a technology expert who is well-versed in all applicable data compliance laws and certified in the standards that apply to your data. For example, starting with Step 1, the right external expert will be able to help you with your data audit and reduce your risk by discovering what types of sensitive data live in your systems, where it lives, and who has access to it. To further strengthen compliance, another best practice is to deploy Zero-Trust Data Security that protects your data and your company and helps ensure maintenance of the highest standards of data compliance and security.
