CISO Robb Reck is working against the clock.
As security leader at Ping Identity, a Denver-headquartered software company, Reck oversees the company's efforts to comply with the California Consumer Privacy Act (CCPA) before the mandate's Jan. 1 deadline.
Reck, however, has done a lot of the heavy lifting already. He brought his company into compliance with the European Union's GDPR that took effect in 2018.
"The process for achieving GDPR compliance was challenging and valuable. It brought activities into security purview that hadn't been before, including things like marketing data flows, lead generation and details on contractual agreements for conference sponsorships," Reck said.
The laws have prompted other more far-reaching changes within Ping, too, Reck added.
"The rise of privacy regulations has had a big impact on Ping Identity's [governance, risk and compliance] activities," he explained. "These changes drove us to formalize our own privacy program, dedicate ongoing resources to that program and embed privacy into numerous key data flows throughout the company."
Some companies, however, are going further. They use these laws as a foundation to build or strengthen data governance programs that inspire trust among customers who are increasingly concerned about how their data is being handled. In fact, compliance experts credit GDPR and other emerging rules with having a strong influence on data governance, risk and compliance programs at a number of organizations.
"These laws are forcing companies -- particularly companies that handle a lot of data or have revenue streams from customer data -- to look at the data they have, how they're storing it and how they're processing it. That's good for the companies, and that's good for consumers," said Heather Engel, founder and managing partner of Strategic Cyber Partners.
Meeting vs. exceeding expectations
Both GDPR and CCPA seek to rein in what companies can and cannot do with personal information. They are the start of what many experts expect will be an onslaught of regulations that will define the future of data privacy and security standards for organizations across industries. Most organizations find it challenging to meet existing requirements -- let alone future ones that could be even more stringent.
A recent survey from the International Association of Privacy Professionals (IAPP) and EY found that most organizations do not currently meet all their legal data privacy requirements. The "IAPP-EY Annual Privacy Governance Report 2019," released in September, found that, of the 370 privacy professionals surveyed whose organizations fall under GDPR jurisdiction, only 9% said they are fully compliant with the law. Some 36% said they're very compliant, 42% moderately compliant and 12% somewhat compliant. Only 1% said they are not compliant at all.
Engel and other privacy experts said many organizations aim to meet only the minimum standards. Organizations see data privacy and security as a check-the-box-type exercise rather than a chance to establish a comprehensive data governance program, she said.
However, privacy experts said new data privacy legislation, coupled with consumers' concern about how their personal information is used by organizations, has some enterprise executives revisiting their data governance programs to identify where they can improve.
Greg ReidManaging director, Protiviti
Greg Reid, managing director in Protiviti's technical consulting solution area and global leader for the consultancy's privacy practice, said he has seen some companies go beyond legally mandated data privacy and security requirements. He said those companies are asking how they can implement ethical standards for how they use data.
"Those companies are asking what should we do, what would our customers want, what are we doing and what are we not going to do with data," Reid explained. "It's not a legal or compliance question. It's really about the values of the company and what the customers expect them to do with the data."
These companies are creating agile data governance programs that meet existing regulatory requirements, as well as anticipate the future of data privacy rules, experts added.
"This is by far a minority of companies, but the companies that think this way are setting themselves up for the future. They know where their data is, what their policies are, and they can adjust rules quickly and respond appropriately to regulatory changes," said Rob Clyde of Clyde Consulting LLC and immediate past board chair for ISACA, an international professional association focused on IT governance.
Challenges to better data governance
Developing a strong, yet nimble data governance program is far from easy -- even when there's a strong desire to do so, Clyde and other experts said.
For starters, many organizations still don't have a good handle on what data exists and where it resides within their enterprise.
"It's a really challenging and complex exercise because data has a tendency to creep in organizations," Engel said. She worked with one company that thought it had a good handle on its data since it was all consolidated within a central database. It was only later discovered that employees regularly downloaded information onto their hard drives to make access to those details easier.
Many organizations also still struggle to understand what legal requirements apply to them, which best practices they should adopt and how to balance data privacy and security programs against risk and resource constraints. This exercise is further complicated by a regulatory and legal environment that constantly changes.
"I'm hearing people ask: 'How do I meet the future, which is unknown?'" Reid said.
Meanwhile, many organizations continue to struggle with the more complex aspects of the data privacy laws and emerging best practices, such as how they must handle individual customer requests to review or delete the information that the organization has about them.
As a result, experts said data governance executives -- and indeed all executives -- should view data governance as a continually evolving discipline. They must balance regulatory requirements, best practices, risk and available resources as they're present within their own organization and recognize that each organization has its own unique balancing act to perform.
"That, in a lot of ways, is the next level of maturity," Engel said.