Complying with emerging privacy regulations: sometimes you need a silver cannonball

We all know the analogy of a silver bullet. Often we use the term in a business setting to talk about how to address a specific challenge: “just give me a silver bullet to beat my competition,” or “what’s the silver bullet to come in under budget.” It makes it sound as if there is a simple, approachable solution for complicated situations. On rare occasions there are unassuming answers to intricate problems. Unfortunately, in regards to GDPR compliance or other privacy regulations cropping up around the world in 2018, this is not the case.

What makes protecting customer privacy so difficult is that the challenge is both a broad and deep problem. In the first place, it’s hard enough for organizations to identify what data falls under the umbrella of such regulations. Often a data controller or processor is managing billions of data objects, scattered in many distinct data silos, of which only a percentage contain personal data. 

The organization must be able to access, understand, and then accurately classify what information they have to determine if the data is actually a legitimate target worth protecting. Cast your net too narrow, and you run the risk of missing something critical, which will put your organization at risk. Cast it too wide, and you’re protecting too much, which can break down processes and result in extra work for resources that are already stretched too thin.

At the same time, businesses must be able to respond quickly and take action on the right information in a number of ways. This includes having the ability to protect against breaches (and notify customers/the appropriate regulatory body if a breach occurs), encrypt, redact, quarantine and govern information throughout its lifecycle. Further, if a regulatory body needs to learn more about what action was taken, or if the information is required for a legal matter, the organization must be able to provide all information that provides the complete context required, often in a very short period of time.

Technology advancements have evolved to a point where it can assist in such endeavors, but organizations must be careful when evaluating potential solutions. It’s easy to become caught up in marketing and believe that a silver bullet exists. Many campaigns will have you believe that with a single “off the rack” purchase you can quickly and cost efficiently become compliant. In reality, it’s not that simple. In fact, there are very few technology vendors with an analytics tool-chest robust enough to address the volume and variety of data that must be addressed at scale, nor a broad enough portfolio to support the multiple use cases that such regulations call for. 

Many organizations will consider a “best of breed” approach to such complex problems, which is often a euphemism for a slew of loosely integrated software technologies. Often the end-result is dozens of exceptions or processing errors, significant manual oversight, or altogether breakdowns – leading to added stress, cost and risk.

A better alternative is developing an IT strategy that is well integrated, supplemented by deep analytics to help organizations make better decisions and steeped in deep domain compliance and security expertise to protect sensitive corporate data. Such a strategy should be flexible enough to answer some fundamental questions, including:

• What and where is the information that will fall under these regulations?
• How do I identify information for disposition, in accordance with “the right to be forgotten”?
• How do I best apply and enforce policies to manage information through its lifecycle?
• How can I quickly and cost-effectively respond to legal matters requiring information under my management?
• How do I manage the volumes of sensitive data-at-rest?
• How can I neutralize the impact of a data breach?
• How do I best ensure sensitive data is protected, stored and backed up securely?

If you aren’t confident that your strategy will deliver answers to each of these key questions, it’s likely you’re not using the right ammunition. 

Having spoken with hundreds of senior executives all around the world over the past few years, who wrestle with how to safely and quickly comply, I can tell you emphatically, there is no silver bullet. These are very bright people with talented IT professionals on staff and (in many cases) access to any resources they need.

The final analysis tends to be the same: seek technology partners that understand privacy, and can offer the flexibility required, and then work together to marshal the resources to develop a solution that is tailored to the organization’s specific and long-term needs. In the end, when you’re shooting at something big, make sure you’ve packed the right caliber to do the job.