Privacy and security regulations are evolving quickly. The European Union’s GDPR and California’s new CPRA law are only the most high-profile examples. According to Privacy Desk, around 110 countries have data protection and privacy laws in place. Within the US, hundreds of state-level bills are pending. Nevada, Maine, Oregon, and Texas are among the states that have already passed consumer information protection acts.
The regulations all have their own nuances and trying to stay on top of them is like playing whack-a-mole–especially if a company’s infrastructure isn’t flexible enough to adapt quickly to new requirements. A better approach is to look at the underlying principles behind these privacy laws and build data platforms that support these principles but are flexible enough to adapt to specific new requirements as they come along.
According to many experts like Bob Bratt, CISOs can bring controls in areas such as access, encryption, and metadata to the table that can help address privacy concerns, meet compliance requirements, and improve cybersecurity. “It’s a great idea that security take the lead in setting up controls necessary to protect data to new regulatory standards,” says Steve Wilson, vice president and principal analyst at Constellation Research. “The CISO has the right mindset to think strategically about data as an asset.”
That’s because accountability for information is the common theme in all the new regulations, Wilson says. “CISOs and chief data officers need to be more accountable about where the data is, where it’s going, and what it’s going to be used for.”