Are GDPR and other regulations putting your business in a choke hold?

The impact of new global data regulations like GDPR on businesses came into stark relief in a report issued by Accenture that was featured in the Wall Street Journal recently. The article in the CIO Journal by Angus Loten entitled “Global Data Policies Restricting Growth: Report” captured the findings of a global survey of 400 CIOs and CTOs. The most alarming results:

• Of the 400 chief information officers and chief technology officers surveyed, 74% of respondents said they expect their firms to exit a regional market or delay or abandon market-entry plans over the next three years as a result of increased barriers to data and IT tools.
• Four in five surveyed said they factor these and other obstacles to globalization in strategic planning

As someone who works for an organization that has been preaching about safe cloud enablement for several years now, I had two thoughts. On one hand, this is the new normal. The cybersecurity industry needs to find a way to solve for this challenge without endangering the cloud-first initiatives that many organizations (including many Netskope customers) have put forward in the past few years. On the other hand, though, the need for privacy and data protection can be addressed without security getting in the way of organizations progressing or growing from a cloud perspective.  

Luckily, help is on the way! Many cloud service providers are jumping on this challenge. For example, Box provides data classification capabilities which allows users to engage and become part of the solution. By tagging content, policies can be set to keep content in the right place. Third-party security providers like Netskope can help by providing visibility and control over where regulated data ends up. For example, policies like “don’t allow information about German employees to leave Germany” can be set up. You should also make sure your security provider allows you to place geographic controls over where your data is processed.

I can’t say I blame anyone for wanting to throw up their hands or crawl under a rock in the hopes that some of regulatory restrictions get loosened. After all, according to our most recent cloud report, of the 24,000+ cloud services Netskope currently tracks, only 25% get a “high” GDPR-readiness rating.

So, here’s a pep talk. We’re security professionals! We’re the ones on the wall keeping watch and just like we’ve done before, we’re going to find a way to keep moving forward. It just so happens that our work has never been more closely aligned with the success of the businesses we’re guarding. It’s our job to enable the business in a secure fashion – this includes facilitating compliant regional expansion. And with proper preparation, we believe that it won’t be as hard as you think. We’ll leave you with a couple tips to help you better be prepared for following regulations and compliance initiatives as they come up. Here they are:

• Audit all data flows across the organization so you know where sensitive data is going and how it’s being used. This will be relevant for multiple compliance regimens and helpful for any audits or forensics that need to be done on suspected violations or incidents.
• Appoint relevant compliance leadership to ensure proper attention and training is applied. Starting early with this will help alleviate any headaches down the road as your organization will have had the processes and teams in place to address regulatory challenges.
• Identify compliance programs and security that may apply across regulations. For example, many policies used to protect data and ensure proper handling of data for PCI-DSS are applicable to the new NYDFS rules.

I hope that helps. In addition, here are two recently published resources that you may find useful:

1. Tackling the NYDFS Cybersecurity Requirements
2. EU GDPR Cloud-Readiness and Compliance Checklist