The phone rings.
A woman on the other end of the line speaks in a high-pitched voice. After a few minutes, Sherlock Holmes hangs up the phone and turns to his colleague Dr. Watson.
The caller’s job involves handling copious amounts of data while navigating ever-evolving regulatory requirements. With so much conflicting information and very little time before her SOC 2 audit, she requested the dynamic duo’s help deciphering fact from fiction.
“So, where do we begin?” Watson sighs.
“The elementaries, my dear Watson…The elementaries.”
And that is exactly where we will begin this article as well.
What Is Data Compliance (and Why Does It Matter)?
Data compliance is the practice of ensuring that information collected, stored, and used by organizations is accurate, secure, and in compliance with relevant laws and standards.
Depending on the industry or jurisdiction in which the industry operates, these standards vary. Data compliance is crucial for organizations for several reasons.
- Financial Protection: noncompliance can result in severe financial penalties or other forms of punishment for the organization, as well as its employees, who handle data.
- Operational Excellence: data-compliant policies aim to uphold integrity, accuracy, and security of information while helping organizations identify opportunities for improving standard operating procedures.
- Data Protection: Of course, compliance protects against attacks, fraud, and other risks.
Now, let’s clear up some common points of confusion regarding data compliance.
Data Compliance: Separating Fact from Fiction
1. Data Privacy Regulations Are Synonymous with Data Compliance
The public conversation around data compliance — even when led by those with a fairly solid grasp of what it includes — tends to focus on data privacy.
These discourses often leave an unknowing audience with the impression that data privacy is synonymous with data compliance. While data privacy definitely forms a huge part of data compliance, it is only a subset of it. Aspects of data regulation include:
Data Storage
Data regulations and standards often stipulate guidelines on how data must be stored. For example, the PCI DSS requires that organizations store credit card data with encryption in place. Several organizations’ internal policies also include full disk encryption policies for data at rest and complying with these is a core part of it being data compliant.
Data storage regulations may also include how long it may be stored. For example, Article 5 (1)(e) of the GDPR mandates that personal data must not be kept in a form through which the data subject can be identified for a period longer than the stated purpose of collecting the data.
Access Control
These are policies and regulations that determine who has access to specific data within an organization. Access control may be implemented in different forms, but most are geared toward preventing credential abuse and ensuring that only authorized personnel get access to data.
Data Privacy
Data privacy regulations outline how personal data can be collected, processed, and stored. Data privacy requirements would typically involve obtaining consent from users before collecting personal data, informing them on what you’re going to do with their data, and notifying them when there’s a breach.
Data Security & Protection
Data security standards require data controllers to take adequate steps to prevent internal and external actors from tampering with data. Depending on the industry, these standards may vary but they are based on general security principles. Examples include encrypting data in transit and authentication protocols such as two-factor authentication.
Data protection standards on the other hand require data controllers to take steps to create safeguards against data loss. This would typically involve having a data backup and recovery system in place.
Legal Requirements
These are any other standards that are specifically applicable to the organization or type of data in question. For example, the Sarbanes-Oxley Act requires organizations to ensure that their financial reports are accurate and devoid of misrepresentation. While the Gramm-Leach-Bliley Act requires financial institutions to implement safeguards that protect customers’ personal information.
Verdict: Fiction!
2. Data Compliance Is a Costly Affair
A 2017 report by Ponemon Institute LLC indicated that compliance with data regulations set firms back by an average of $5.5 million. That’s nearly a 55% increase, from its $3.5 million cost in 2011.
These costs aren’t surprising given that organizations often make significant outlays for the tools and technology needed to ensure compliance. They also need to train employees on compliance policies and procedures, which can be time-consuming and expensive. In some cases, they may even hire additional staff to manage compliance, thus adding to the cost.
According to a 2022 report by Thomson Reuters, organizations can expect that increased regulatory requirements coupled with increased personal liability of compliance officers will result in additions to their current compliance costs.
Be that as it may, it’s helpful to look at the brighter side: these costs are way less than the cost of noncompliance! The Ponemon study showed that the average cost of noncompliance with data regulations was $14.82 million in 2017, a 58% increase from its cost of $9.37 million in 2011. And that’s speaking only in economic terms; reputational costs are more difficult to quantify and put in monetary terms.
Verdict: Fact! Albeit, noncompliance is a more costly affair.
3. Perfection Is Required to Pass an Audit
The requirements of a compliance audit will depend on what standards or regulations the audit is based on. Generally though, a data compliance audit will aim to examine who has access to what, check event logs, and confirm the accuracy and up-to-dateness of the information.
Contrary to what many believe though, auditors are not out to fail organizations. Most auditors understand that perfection is almost impossible, especially given that data regulations themselves are not always clear, and are sometimes even contradictory.
For example, the Payment Service Directive 2 (PSD2) applicable in the European Union, in a bid to improve competition in the payment sector permits the sharing of customer information which may technically amount to a breach of the GDPR.
Given these realities, auditors are more interested in seeing organizations prioritize the most essential requirements. For instance, a SOX audit would be more concerned about ensuring the accuracy of financial reports and integrity of internal control requirements than in seeing organizations implement data storage requirements to the dot.
Thus, organizations can focus less on the elusive goal of achieving perfection and focus more in developing a long-term strategy toward achieving compliance with regulations. This would involve examining where these processes need to be improved and sharing plans with the auditors on how this will be done within a reasonable time frame.
Verdict: Fiction!
4. Compliance Regulations Provide Clear Control Guidelines
Fortunately, industry-specific standards such as the PCI DSS sometimes provide specific control guidelines for organizations operating within their scope.
More often than not however, data compliance regulations such as the GDPR, the UK Data Protection Act, and the California Consumer Privacy Act (CCPA), which are broad in scope and apply to different types of data controllers, lack clarity or omit control guidelines entirely.
The reasons for these are not particularly far-fetched. First, unlike standards such as the PCI DSS which can be updated regularly in the face of technological advancements, legislations are not updated as frequently. This is because they have to go through the legislative process which can take years.
Secondly, regulations are designed to be flexible so organizations can interpret them to best fit their operations. This is closely linked to the fact that with regulations, it is difficult to measure general outcomes. Thus, control guidelines are often left open-ended and organizations have some level of freedom in determining how they will comply with these regulations.
It is therefore left for organizations to devise control guidelines that suit their specific needs.
Verdict: Fiction!
5. Data Compliance Standards Are Similar in Certain Respects
Despite the seemingly endless labyrinth that data regulations seem to present to data handlers, many of its tunnels lead to the same end.
Most data regulations often make provisions for data privacy, security, and protection to such an extent that compliance with any of these regulations would amount to, at least, significant compliance with others.
For example, say a California-based organization puts processes in place to comply with the CCPA. The business can easily replicate those measures for other data compliance regulations down the line.
Typically, these processes would require obtaining consumers’ informed consent before collecting personal data, allowing them to exercise their right to data deletion, and protecting stored data with adequate measures. The GDPR and the UK Data Protection Act contain similar provisions, so the same processes can be used to comply with these regulations without any difficulty.
Verdict: Fact!
Streamline Data Compliance with JumpCloud
Data compliance is a journey, not a destination. That’s why it’s important for organizations to always have the right tools and solutions in place to ease compliance efforts.
The JumpCloud Directory Platform provides a centralized pane of glass to implement policies, monitor complaints, and streamline audits across IT environments. With JumpCloud, organizations can become more efficient by consolidating their toolkits and setting up systems to access and monitor data efficiently, reliably, and securely.
Seeking your own Sherlock Holmes for data compliance?
Our IT Compliance Quickstart Guide is the next best thing.
Epilogue
“Phew! I’ve got to admit, that was more stressful than I had expected,” Watson said as he and Sherlock trudged back to the office.
“At least we are now better informed about data compliance and the various misconceptions surrounding it. There needs to be absolute clarity regarding data compliance and how to develop strategies to meet data compliance goals. It’s only through continuous investigation that SMEs can implement effective data hygiene strategies and get compliance-ready.”